Python Script Security
Hello all I have a dtml method which builds a page from various different python scripts. How can I stop the python scripts from being called and passed variables independently of the main dtml method? I've tried some research on proxy roles but couldn't pin it down. ZSQL methods are not callable independently and I would like Python Scripts to behave the same. TIA Rich
Hi Rich, I am not aware of any method to stop a script from being directly called. You can however check this in the script itself. You could try something like this (untested):
if context.REQUEST.get("PUBLISHED") == script: #raise an error here
This checks if the currently published object equals the current script. Bart On 11/18/11 19:05, Richard Harley wrote:
Hello all
I have a dtml method which builds a page from various different python scripts. How can I stop the python scripts from being called and passed variables independently of the main dtml method? I've tried some research on proxy roles but couldn't pin it down. ZSQL methods are not callable independently and I would like Python Scripts to behave the same. TIA Rich _______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Rich, You can modify the permissions on each of your python scripts to require some role, say "gatekeeper" and then proxy your front-end script to have the role "gatekeeper". Then, only users or scripts with the role "gatekeeper" can call the script directly. Brian Brinegar Purdue University ----- Original Message ----- From: "Richard Harley" <richard@scholarpack.com> To: zope@zope.org Sent: Friday, November 18, 2011 1:05:27 PM Subject: [Zope] Python Script Security Hello all I have a dtml method which builds a page from various different python scripts. How can I stop the python scripts from being called and passed variables independently of the main dtml method? I've tried some research on proxy roles but couldn't pin it down. ZSQL methods are not callable independently and I would like Python Scripts to behave the same. TIA Rich _______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Harley wrote: ZSQL methods are not callable
independently
I have strong doubts about that claim. - -aj -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGUBAEBAgAGBQJOx1dhAAoJEADcfz7u4AZjfzgLv2u1lysJYgKfhg6TSYN3hc0E UXaxu6odJX1ONxPmP0RIaYy1qKW10tF5uzvNk2OfY7N+11MhE6ZB9en0HsUsp3Yx YYilBV3vh6AZ5CCRyftJ9WwBEgN/knEb254F/Xs2Ieclh1yFEcrBFy918p+jwEp7 yUBHWOYBlHylx1P3qWtIQ13S5mNVGAugVpST+1XT4ks84jhk4H9aPreROzIPGZDu dPgJ/9wuztwHa4Yb6yQ6NtN5uWdv23hBlEd06Z4v1FgtlDGdDrIR489eFWaAZXJl KdgPOBVXNeh6TuccvqK4pkguDUQpZLpYOzwy/OvdJHxzWy4ziHerScY4HvDVMULT 97b2oszPHAzMwXM9W3Lq2kR9P6fem6pM6aETot9aAChtKafTHt0C/sMJOuenI89B h2GERRYK7nf72tREVBpb6kcxuLYpokzDgDaHmcyT/gUgTG02C4CTQOuDfmOfp7rL 1kGBTv9HVvTONKcoXjEwDJHab/vOmPM= =+Nx/ -----END PGP SIGNATURE-----
Thanks Bart and Brian, I will investigate those. Andreas - how is a zsql method rendered and called through the browser? Thanks Rich Quoting Andreas Jung <lists@zopyx.com>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Richard Harley wrote: ZSQL methods are not callable
independently
I have strong doubts about that claim.
- -aj -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQGUBAEBAgAGBQJOx1dhAAoJEADcfz7u4AZjfzgLv2u1lysJYgKfhg6TSYN3hc0E UXaxu6odJX1ONxPmP0RIaYy1qKW10tF5uzvNk2OfY7N+11MhE6ZB9en0HsUsp3Yx YYilBV3vh6AZ5CCRyftJ9WwBEgN/knEb254F/Xs2Ieclh1yFEcrBFy918p+jwEp7 yUBHWOYBlHylx1P3qWtIQ13S5mNVGAugVpST+1XT4ks84jhk4H9aPreROzIPGZDu dPgJ/9wuztwHa4Yb6yQ6NtN5uWdv23hBlEd06Z4v1FgtlDGdDrIR489eFWaAZXJl KdgPOBVXNeh6TuccvqK4pkguDUQpZLpYOzwy/OvdJHxzWy4ziHerScY4HvDVMULT 97b2oszPHAzMwXM9W3Lq2kR9P6fem6pM6aETot9aAChtKafTHt0C/sMJOuenI89B h2GERRYK7nf72tREVBpb6kcxuLYpokzDgDaHmcyT/gUgTG02C4CTQOuDfmOfp7rL 1kGBTv9HVvTONKcoXjEwDJHab/vOmPM= =+Nx/ -----END PGP SIGNATURE-----
participants (5)
-
Andreas Jung -
Bart Jansen -
Brian R Brinegar -
Richard Harley -
richard@scholarpack.com