It may be easier/safer to use the proxy tab on your python script to give it "manager" status (or the like) giving only the script the ability to upload images. Without a proxy the script would run with the permissions of the requesting user. Jeff

-----Original Message----- From: Adam Warner [SMTP:lists@consulting.net.nz] Sent: Thursday, November 08, 2001 6:58 AM To: zope@zope.org Subject: [Zope] Quick Security Question (Anonymous "Add Documents, Images, and Files")

Hi all,

I have a python script that does a manage_addFile (it generates a cached version of a converted file the first time the page is viewed). To allow anon users to access the page itself I've had to allow anon "Add Documents, Images, and Files" in the root folder security. I've disabled it again while I await confirmation.

These are the only options available to me in the python script's security settings:

Access contents information Change Python Scripts Change bindings Change cache settings Change permissions Change proxy roles Delete objects Manage WebDAV Locks Manage properties Take ownership Undo changes View View History View management screens WebDAV Lock items WebDAV Unlock items WebDAV access

My question is: Does enabling website wide anonymous "Add Documents, Images, and Files" mean users will be able to upload files, etc. indiscriminately? Or does it just mean anon user-initiated scripts and forms that generate files will work?

Thanks, Adam