Quick Security Question (Anonymous "Add Documents, Images, and Files")
Hi all, I have a python script that does a manage_addFile (it generates a cached version of a converted file the first time the page is viewed). To allow anon users to access the page itself I've had to allow anon "Add Documents, Images, and Files" in the root folder security. I've disabled it again while I await confirmation. These are the only options available to me in the python script's security settings: Access contents information Change Python Scripts Change bindings Change cache settings Change permissions Change proxy roles Delete objects Manage WebDAV Locks Manage properties Take ownership Undo changes View View History View management screens WebDAV Lock items WebDAV Unlock items WebDAV access My question is: Does enabling website wide anonymous "Add Documents, Images, and Files" mean users will be able to upload files, etc. indiscriminately? Or does it just mean anon user-initiated scripts and forms that generate files will work? Thanks, Adam
Hi Everyone, I want to allow my users to cut/paste/copy stuff just like you can in zope, but without using the actual zope environment. So, I looked at the source code of the zope environment, added '<input type="checkbox" name="ids:list" value="%s"/>' % context.getId() to each item, put them in a form and added the various buttons that Zope generates. This works. Except for two things: 1) After the user presses Cut, my browser will be pointed to the Zope environment, eventhough the url in address still has the right value. I would like to return to the page where I came from, not the Zope environment. 2) I cannot determine when to show the Paste button. Zope only shows it when Paste is possible. I would like to do this too and build some more restrictions (not all objects should be pastable in all folders). Any ideas? Thanks in advance, Douwe
Douwe Osinga writes:
1) After the user presses Cut, my browser will be pointed to the Zope environment, eventhough the url in address still has the right value. I would like to return to the page where I came from, not the Zope environment. Check the action of your form!
Seems to point to a Zope management page.
2) I cannot determine when to show the Paste button. Zope only shows it when Paste is possible. I would like to do this too and build some more restrictions (not all objects should be pastable in all folders). Zope remembers the clipboard content in a cookie. The paste button appears when the cookie is defined and not empty.
Dieter
Hi Dieter, Thanks for your advice.
1) After the user presses Cut, my browser will be pointed to the Zope environment, eventhough the url in address still has the right value. I would like to return to the page where I came from, not the Zope environment. Check the action of your form! Seems to point to a Zope management page. Yes, that is what you would suppose. However, the action of the form points to the object it self, not to the manage method. It calls the manage method nevertheless. I suppose I could redo the cut/paste/copy stuff in python, but just placing <input class="form-element" type="submit" name="manage_cutObjects:method" value="Knip" /> is so much easier.
2) I cannot determine when to show the Paste button. Zope only shows it when Paste is possible. I would like to do this too and build some more restrictions (not all objects should be pastable in all folders). Zope remembers the clipboard content in a cookie. The paste button appears when the cookie is defined and not empty. Do you happed to know which cookie should contain what?
Douwe
Douwe Osinga writes:
Yes, that is what you would suppose. However, the action of the form points to the object it self, not to the manage method. It calls the manage method nevertheless. I suppose I could redo the cut/paste/copy stuff in python, but just placing <input class="form-element" type="submit" name="manage_cutObjects:method" value="Knip" /> is so much easier. The "name=manage_cutObjects:method" tells Zope to call "manage_cutObjects". When your document does not define this method explicitly, Zope's corresponding method is use (maybe acquired). Probably, that is the reason why you see Zope's management interface.
2) I cannot determine when to show the Paste button. Zope only shows it when Paste is possible. I would like to do this too and build some more restrictions (not all objects should be pastable in all folders). Zope remembers the clipboard content in a cookie. The paste button appears when the cookie is defined and not empty. Do you happed to know which cookie should contain what? Something like: "cb_....". I could look at the code to find out precisely. But you, too... Or you tell your browser to inform you about "setCookie" requests and see, what Zope tries to set...
Dieter
participants (3)
-
Adam Warner -
Dieter Maurer -
Douwe Osinga