Security for objects being called
Hello all, I'm trying to figure out how to prevent certain zope objects from being called directly but allow them to be called from another object. Here is an example: You have a ZPT page, let's originally call it 'test' test calls a Script(Python) 'script' I want any anonymous user to be able to call 'test' from the web but not 'script'. However, I want 'test' to call 'script' and render the contents of 'script' to anonymous users through 'test'. I tested this out by making the 'script' View permission only available for Authenticated users, and as anonymous I can neither hit 'test' nor 'script'. Based on my understanding of the Zope security framework I don't think this is possible... hopefully someone can tell me I'm wrong though and show me how to do it :) Thanks very much for your time, - Thibaud
On Mon, Sep 15, 2008 at 07:44:58PM -0400, Thibaud Morel l'Horset wrote:
Hello all,
I'm trying to figure out how to prevent certain zope objects from being called directly but allow them to be called from another object.
Here is an example: You have a ZPT page, let's originally call it 'test' test calls a Script(Python) 'script'
I want any anonymous user to be able to call 'test' from the web but not 'script'. However, I want 'test' to call 'script' and render the contents of 'script' to anonymous users through 'test'. I tested this out by making the 'script' View permission only available for Authenticated users, and as anonymous I can neither hit 'test' nor 'script'.
Based on my understanding of the Zope security framework I don't think this is possible... hopefully someone can tell me I'm wrong though and show me how to do it :)
http://plope.com/Books/2_7Edition/Security.stx#2-62 -- Paul Winkler http://www.slinkp.com
Thanks for the response Paul. I don't see a Proxy tab on Page Templates though, only DTML methods: do I need to install an additional product for that? or is it configured somewhere else for Templates? On Tue, Sep 16, 2008 at 7:48 AM, Paul Winkler <slinkp@gmail.com> wrote:
On Mon, Sep 15, 2008 at 07:44:58PM -0400, Thibaud Morel l'Horset wrote:
Hello all,
I'm trying to figure out how to prevent certain zope objects from being called directly but allow them to be called from another object.
Here is an example: You have a ZPT page, let's originally call it 'test' test calls a Script(Python) 'script'
I want any anonymous user to be able to call 'test' from the web but not 'script'. However, I want 'test' to call 'script' and render the contents of 'script' to anonymous users through 'test'. I tested this out by making the 'script' View permission only available for Authenticated users, and as anonymous I can neither hit 'test' nor 'script'.
Based on my understanding of the Zope security framework I don't think this is possible... hopefully someone can tell me I'm wrong though and show me how to do it :)
http://plope.com/Books/2_7Edition/Security.stx#2-62
--
Paul Winkler http://www.slinkp.com _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On Tue, Sep 16, 2008 at 08:55:33AM -0400, Thibaud Morel l'Horset wrote:
Thanks for the response Paul. I don't see a Proxy tab on Page Templates though, only DTML methods: do I need to install an additional product for that? or is it configured somewhere else for Templates?
Oops, right you are. Templates don't have proxy roles. One obvious workaround: Add a dtml method that consists only of <dtml-var test>. Make this dtml method anonymously viewable, and give it a proxy role of Authenticated. Then make your real template, and the script it calls, both viewable only by Authenticated. -- Paul Winkler http://www.slinkp.com
Thibaud Morel l'Horset wrote at 2008-9-15 19:44 -0400:
I'm trying to figure out how to prevent certain zope objects from being called directly but allow them to be called from another object.
Here is an example: You have a ZPT page, let's originally call it 'test' test calls a Script(Python) 'script'
Your options: * check in "script" that is was not called directly via the Web. You can do this by checking against "REQUEST['PUBLISHED']". * give your "script" a non-"None" "index_html" attribute Then, this "index_html" is called when accessed from the Web; otherwise, the "script"s "__call__" is called. * give your "script" and its "__call__" method an empty docstring. -- Dieter
participants (3)
-
Dieter Maurer -
Paul Winkler -
Thibaud Morel l'Horset