RE: [Zope] RDBMS Applications and direct calling of script(python)andsql methods
Says keyerror AUTHENTICATED_USER when I try it. Thanks, Derek Wilson -----Original Message----- From: Erik Myllymaki [mailto:erik.myllymaki@aviawest.com] Sent: Thursday, October 09, 2003 3:54 PM To: zope@dylanreinhardt.com; Eric Merritt Cc: Zope Users Subject: Re: [Zope] RDBMS Applications and direct calling of script(python)andsql methods
On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
Lets take simple example, assume that each user has an id that is keyed to his 'stuff'. The zsql method must be passed this id to access his stuff. This is all fine and good, A script(python) method could provide this to the zsql method behind the scenes without any great issue. The problem comes in when the user attempts to access this zsql method from via its url. Going this route he could pretty easily supply and arbitrary id and get access to information that he shouldn't have.
Yes, that would be a problem... so don't do it that way. :-)
Instead, have Zope provide you the name of the user from its authentication machinery. That's *much* harder to spoof.
To get this, cook up a Python script called get_user and use this for the code:
---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ----
Now include a call to get_user() when you need to pass in the username
as a parameter to your query.
Any reason why you shouldn't just use <dtml-var AUTHENTICATED_USER> as a parameter to your SQL query? just curious... _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
I use this ZSQL method to return the ID number of my users: ---------------------------------------------------------------------------- ------------- select employee_id from staff where login = <dtml-sqlvar "REQUEST.get('AUTHENTICATED_USER')" type=string> ---------------------------------------------------------------------------- -------------
Says keyerror AUTHENTICATED_USER when I try it.
Thanks, Derek Wilson
-----Original Message----- From: Erik Myllymaki [mailto:erik.myllymaki@aviawest.com] Sent: Thursday, October 09, 2003 3:54 PM To: zope@dylanreinhardt.com; Eric Merritt Cc: Zope Users Subject: Re: [Zope] RDBMS Applications and direct calling of script(python)andsql methods
On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
Lets take simple example, assume that each user has an id that is keyed to his 'stuff'. The zsql method must be passed this id to access his stuff. This is all fine and good, A script(python) method could provide this to the zsql method behind the scenes without any great issue. The problem comes in when the user attempts to access this zsql method from via its url. Going this route he could pretty easily supply and arbitrary id and get access to information that he shouldn't have.
Yes, that would be a problem... so don't do it that way. :-)
Instead, have Zope provide you the name of the user from its authentication machinery. That's *much* harder to spoof.
To get this, cook up a Python script called get_user and use this for the code:
---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ----
Now include a call to get_user() when you need to pass in the username
as a parameter to your query.
Any reason why you shouldn't just use <dtml-var AUTHENTICATED_USER> as a parameter to your SQL query?
just curious...
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (2)
-
Derek S. Wilson -
Erik Myllymaki