Newbie Questions (or maybe not... ;-)
Hi, I'm hoping these both have simple answers. Firstly, is there any way you can make component DTML methods such as standard_html_header (and maybe other objects) invisible to the outside world? It's messy (and possibly a security hazard!) if they're not, for example, take a look at http://www.zope.org/standard_html_footer. This isn't really the sort of thing you want visible on its own but what if that method actually did something like delete files/etc... Secondly, is there any way you can specify a parent object of the same name in a DTML method? What I want to do is build up standard_html_header as you get deeper into a directory structure, for example: in / standard_html_header is: <HTML><HEAD><TITLE><!--#var title_or_id--></TITLE></HEAD><BODY BGCOLOR="#FFFFFF"> in /dir1 standard_html_header is: <dtml-var standard_html_header> Some more text for a header... and so on... Of course, this generates an infinite recursion. So what I'm asking is if there's any way to tell the dtml-var call in /dir1/standard_html_header to use the standard_html_header in / rather than in /dir1? Cheers for any help, Chris
Chris Withers wrote:
Hi,
I'm hoping these both have simple answers. Firstly, is there any way you can make component DTML methods such as standard_html_header (and maybe other objects) invisible to the outside world?
It's messy (and possibly a security hazard!) if they're not, for example, take a look at http://www.zope.org/standard_html_footer. This isn't really the sort of thing you want visible on its own but what if that method actually did something like delete files/etc...
You can give them permissions that do not make them only visible to a special user (let's say the Role is called SpecialUser). Then if you want to use them from another method, you can give this method a so called 'proxy role' (in this case the 'SpecialUser' role) which gives it the permission to execute the method in question. I vaguely remember that there was some documentation available on this matter, but I couldn't find it. (To complicate this there is one caveat about proxy roles however: there seems to be a bug which prevents authorized users from changing the methods in question after their proxy roles have changed. This seems to be a bug - it may be remediated one day)
Secondly, is there any way you can specify a parent object of the same name in a DTML method? What I want to do is build up standard_html_header as you get deeper into a directory structure, for example:
in / standard_html_header is: <HTML><HEAD><TITLE><!--#var title_or_id--></TITLE></HEAD><BODY BGCOLOR="#FFFFFF">
in /dir1 standard_html_header is: <dtml-var standard_html_header> Some more text for a header...
and so on...
Of course, this generates an infinite recursion. So what I'm asking is if there's any way to tell the dtml-var call in /dir1/standard_html_header to use the standard_html_header in / rather than in /dir1?
Yes use: <dtml-with "PARENTS[-1]"> <dtml-var standard_html_header> </dtml-with> PARENTS[-1] always is the top folder. Of course you could also do it another way (simpler) by not calling the header in your method, but naming it differently. This would prevent infinite recursion (and possibly also some other very intricate acquisition problems further down the road) Rik
Rik, Thanks for the help with the second problem. Not entirely convinced about the first one though... it seems quite a lot of effort to go through just to stop people executing the methods on their own. Especially given that it sounds like you'd have to go through the process for each method, and in a big site I can imagine there'd be quite a lot of these :( It's a shame there's no way to add a permission called 'execute' or similar to the security model. That permission could allow other objects to execute the method. You could then turn off the view permission, turn on the execute permission, and hey presto! problem solved... Any ideas? Chris Rik Hoekstra wrote:
Chris Withers wrote:
Hi,
I'm hoping these both have simple answers. Firstly, is there any way you can make component DTML methods such as standard_html_header (and maybe other objects) invisible to the outside world?
It's messy (and possibly a security hazard!) if they're not, for example, take a look at http://www.zope.org/standard_html_footer. This isn't really the sort of thing you want visible on its own but what if that method actually did something like delete files/etc...
You can give them permissions that do not make them only visible to a special user (let's say the Role is called SpecialUser). Then if you want to use them from another method, you can give this method a so called 'proxy role' (in this case the 'SpecialUser' role) which gives it the permission to execute the method in question. I vaguely remember that there was some documentation available on this matter, but I couldn't find it.
(To complicate this there is one caveat about proxy roles however: there seems to be a bug which prevents authorized users from changing the methods in question after their proxy roles have changed. This seems to be a bug - it may be remediated one day)
Secondly, is there any way you can specify a parent object of the same name in a DTML method? What I want to do is build up standard_html_header as you get deeper into a directory structure, for example:
in / standard_html_header is: <HTML><HEAD><TITLE><!--#var title_or_id--></TITLE></HEAD><BODY BGCOLOR="#FFFFFF">
in /dir1 standard_html_header is: <dtml-var standard_html_header> Some more text for a header...
and so on...
Of course, this generates an infinite recursion. So what I'm asking is if there's any way to tell the dtml-var call in /dir1/standard_html_header to use the standard_html_header in / rather than in /dir1?
Yes use: <dtml-with "PARENTS[-1]"> <dtml-var standard_html_header> </dtml-with> PARENTS[-1] always is the top folder.
Of course you could also do it another way (simpler) by not calling the header in your method, but naming it differently. This would prevent infinite recursion (and possibly also some other very intricate acquisition problems further down the road)
Rik
Chris Withers wrote:
Rik,
Thanks for the help with the second problem. Not entirely convinced about the first one though... it seems quite a lot of effort to go through just to stop people executing the methods on their own. Especially given that it sounds like you'd have to go through the process for each method, and in a big site I can imagine there'd be quite a lot of these :(
Not quite. You will have to create the methods anyway, even in a big site and you could give them the proxy roles right at that time. Not much extra work, i'd think. For clarity: the executing methods have proxy roles, the executed just need to be protected
It's a shame there's no way to add a permission called 'execute' or similar to the security model. That permission could allow other objects to execute the method. You could then turn off the view permission, turn on the execute permission, and hey presto! problem solved...
so, that's what proxy roles are for. More so if you'd define a role called Execute. (and still, in either case you'd have to turn on the execute permission on each method just the same). Rik
Hi Chris,
I'm hoping these both have simple answers. Firstly, is there any way you can make component DTML methods such as standard_html_header (and maybe other objects) invisible to the outside world?
You can use the Zope Security's to limit that. Every object have the Security's tab, you can then choose what role can do what.
It's messy (and possibly a security hazard!) if they're not, for example, take a look at http://www.zope.org/standard_html_footer. This isn't really the sort of thing you want visible on its own but what if that method actually did something like delete files/etc...
If all pages of your site will make a reference to the standard_html_header, I think is better you do not delete anything from it. =]
Secondly, is there any way you can specify a parent object of the same name in a DTML method? What I want to do is build up standard_html_header as you get deeper into a directory structure, for example:
in / standard_html_header is: <HTML><HEAD><TITLE><!--#var title_or_id--></TITLE></HEAD><BODY BGCOLOR="#FFFFFF">
in /dir1 standard_html_header is: <dtml-var standard_html_header> Some more text for a header...
and so on...
One way to do that is: <dtml-with "PARENTS[1]"> <dtml-var standard_html_header> </dtml-with> best regards, -- Ze Octavio -- Hiperlógica <http://hiper.com.br> Automação de web-sites | Web-site automation São Paulo | Brasil | Fone: +55-11-8168067
One way to do that is:
<dtml-with "PARENTS[1]"> <dtml-var standard_html_header> </dtml-with>
Or if you want to guarantee the top level folder, regardless of how deep in a heirarchy you are, use PARENTS[-1] --sam -- Sam Gendler Chief Technology Officer - Impossible, Inc. 1222 State St. Suite 250 Santa Barbara CA. 93101 w: 805-560-0508 f: 805-560-0608 c: 805-689-1191 e: sgendler@impossible.com
participants (4)
-
Chris Withers -
Rik Hoekstra -
Sam Gendler -
Ze Octavio