Restricting URL access to objects that are not complete web pages
After reading the Zope lists for a couple of months to struggle up the Zope learning curve, it's time for my first question. I want to serve web pages build up from a database of document components. Zope's object-based subsystems should be completely hidden so that the only objects accessible over the web interface are complete, well-formed HTML web pages. For the sake of simplicity, suppose we have three types of components, web pages, articles and sections. These components obey the following 4 rules: 1. Web pages operate just like a DTML document, where the articles and sections from which it is built are specified via dtml-var. The page definition starts with standard_html_header and _footer (or similar) to create nice HTML output. 2. Articles are primarily meant for inclusion within a web page so that they are displayed in a browser by specifying the URL of their containing web page. However if an article's URL is specified, the article automatically gets wrapped in an HTML template. 3. Sections are only used as building blocks for other documents so it must not be possible to retrieve a section via a URL. 4. Similarly, standard_html_header and other methods/objects not meant to be a standalone web page should not be accessible via a URL. My thoughts were to use an html_header that tracks how deeply components are nested so that inner components turn off the page wrapper. This achieves 1 and 2. This also achieves 3 if sections raise an exception if their page wrapper is not turned off. But 4 was where I got stuck. I want to use the full magic of acquisition when assembling web pages from components within a page, but prevent acquisition from returning other objects via URLs. So mypage in http://myserver:8080/myarea/mypage is able to find standard_html_header by acquisition but http://myserver:8080/myarea/mypage/standard_html_header gives a not-found error. Any suggestions? Something involving permissions/roles? Hacking before_bobo_traverse()? Something simpler? Thanks for any assistance! Stephen _______________________________ Stephen Simmons HealthArena B.V. phone +31 20 486 0555 stephen.simmons@healtharena.net
Stephen Simmons wrote:
3. Sections are only used as building blocks for other documents so it must not be possible to retrieve a section via a URL.
That is not currently possible in Zope and is one of my pet peaves :-S See the 'Protocol Accessibility' proposal on dev.zope.org for a possible solution... cheers, Chris
Chris, Stephen, Wouldn't an external method something like the following work for the moment? def getobj(self,url=None): if url==None: return None return self.restrictedTraverse(url) so in dtml you can do something like: <dtml-var "getobj(url='/home/myfolder/index_html')"> or <dtml-var "getobj(url='/home/myfolder/index_html').absolute_url()"> etc. maybe?!!? Phil phil.harris@zope.co.uk ----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com> To: "Stephen Simmons" <stephen.simmons@healtharena.net> Cc: <zope@zope.org> Sent: Thursday, September 21, 2000 9:56 AM Subject: Re: [Zope] Restricting URL access to objects that are not complete web pages
Stephen Simmons wrote:
3. Sections are only used as building blocks for other documents so it must not be possible to retrieve a section via a URL.
That is not currently possible in Zope and is one of my pet peaves :-S
See the 'Protocol Accessibility' proposal on dev.zope.org for a possible solution...
cheers,
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Stephen Simmons wrote:
Any suggestions? Something involving permissions/roles? Hacking before_bobo_traverse()? Something simpler?
You could use SiteAccess for this; get it to match the allowed paths and patterns to those documents you want available directly through the web, and return a 404 to those that don't match. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net
participants (4)
-
Chris Withers -
Phil Harris -
Stephen Simmons -
Steve Alexander