Zope 2, local python script security
Hi Zope list, I have a (zope 2.8.8-final) folder that gives users with the role "Authenticated" the following Permissions: ------------------------------- . access contents . view - note: no webDav or FTP access is allowed ------------------------------- Playing around with wget and curl I find I can (with proper authentication) download the "published" but not raw source of zpt and python files available in the folder. So, for example, the script "\folder\pyDate" returns '2007/05/23' not its source, e.g. # module: pyDate from DateTime import DateTime return DateTime().Date() This is the behavior I want - as we have a requirement to keep source secure. I realize that source in Zope-Instance/Extensions is the most secure but I'm interested in local script security. Thanks, David
On 5/23/07, David H <bluepaul@earthlink.net> wrote:
I have a (zope 2.8.8-final) folder that gives users with the role "Authenticated" the following Permissions:
------------------------------- . access contents . view - note: no webDav or FTP access is allowed -------------------------------
Playing around with wget and curl I find I can (with proper authentication) download the "published" but not raw source of zpt and python files available in the folder.
So, for example, the script "\folder\pyDate" returns '2007/05/23' not its source, e.g.
# module: pyDate from DateTime import DateTime return DateTime().Date()
This is the behavior I want - as we have a requirement to keep source secure.
I realize that source in Zope-Instance/Extensions is the most secure but I'm interested in local script security.
I am not sure what your question is, you didn't state any. I am guessing that you want to know if there is any way Authenticated could get at the source anyway. The answer to that question is: no, unless users have additional permissions they cannot see the sourcecode of DTML and Python scripts. -- Martijn Pieters
participants (2)
-
David H -
Martijn Pieters