Is there a way to keep users from being able to see any of the management pages? For example, return a 404 error if someone tries to go to http://zopesite/manage or http://zopesite/object/manage. In a similar vein, how would you go about keeping users from executing python scripts or external methods by just typing in the path to that object (http://zopesite/pythonscript) yet still let the pages that use those methods to access them?
I have seen a way to keep users from the management pages if you are using apache in front ... I cannot remember off the top of my head but it is in one of the apache zope guides floating around. ____________________________________________ Peter Millar -----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org] On Behalf Of Thomas Rampelberg Sent: Friday, 5 November 2004 09:43 To: zope@zope.org Subject: [Zope] Hiding ZMI Pages Is there a way to keep users from being able to see any of the management pages? For example, return a 404 error if someone tries to go to http://zopesite/manage or http://zopesite/object/manage. In a similar vein, how would you go about keeping users from executing python scripts or external methods by just typing in the path to that object (http://zopesite/pythonscript) yet still let the pages that use those methods to access them? _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On Thu, 4 Nov 2004 16:43:19 -0700, Thomas Rampelberg <pyronicide@gmail.com> wrote:
Is there a way to keep users from being able to see any of the management pages? For example, return a 404 error if someone tries to go to http://zopesite/manage or http://zopesite/object/manage.
This would also apply to yourself wanting to access the ZMI, are you sure you want to do this? Unless they can authenticate they will not see the ZMI ... they'd need to login as a user with the "Manager" role. (or be granted this access through a script using a manager proxy role executing arbitary code because it trusted a form field passed to it by a user *g*...) To hide the ZMI from users knowledgeable about Zope you could modify the source to use a different URI for the ZMI but I'd advise against this since you'd have to reiterate the procedure over each newly upgraded zope.
In a similar vein, how would you go about keeping users from executing python scripts or external methods by just typing in the path to that object (http://zopesite/pythonscript) yet still let the pages that use those methods to access them?
Protect them via the "Security" TAB (in ZMI) then only users with the required priviledges can render, inspect and/or modify the so restrained Z-Object. -- --- The Count
Thomas Rampelberg wrote:
Is there a way to keep users from being able to see any of the management pages?
In the security tab, there's a 'View management screens'
For example, return a 404 error if someone tries to go to http://zopesite/manage or http://zopesite/object/manage.
If you run Zope behind Apache, you could take advantage of rewrite rules and access control to hide 'manage' urls from requests on port 80 while allowing'em on 8080 (or whatever port your Zope listen to).
In a similar vein, how would you go about keeping users from executing python scripts or external methods by just typing in the path to that object (http://zopesite/pythonscript) yet still let the pages that use those methods to access them?
It's in the fine manual, section "proxy roles". -- Bruno Desthuilliers - Analyste-programmeur bruno@modulix.org www.modulix.com
Just to add to these comments: bruno modulix wrote:
Thomas Rampelberg wrote:
Is there a way to keep users from being able to see any of the management pages?
In the security tab, there's a 'View management screens'
For example, return a 404 error if someone tries to go to http://zopesite/manage or http://zopesite/object/manage.
If you run Zope behind Apache, you could take advantage of rewrite rules and access control to hide 'manage' urls from requests on port 80 while allowing'em on 8080 (or whatever port your Zope listen to).
You could do management through a secure shell: ssh www.yoursite.com -L8080:localhost:8080 then use apache to allow only localhost:8080/manage requests to get to real management urls.
In a similar vein, how would you go about keeping users from executing python scripts or external methods by just typing in the path to that object (http://zopesite/pythonscript) yet still let the pages that use those methods to access them?
It's in the fine manual, section "proxy roles".
Do you mean "Allow anonymous users to see a page that contains the output from a script, but deny the anonymous user the ability to call that script directly? In the FM it is not so obvious you do this: 1. Give the python script the View/Manager only permission, then 2. Call the script from a dtml document that has the Manager proxy role. That at least stops the script from being called from the browser url box. I am not sure this would do any good. If hackers want to get at your script with fake data they could try calling your dtml document with their own parameters. Cliff Sorry I seem to have stolen a thread - deleted original message.
participants (5)
-
bruno modulix -
Cliff Ford -
Peter Millar -
The Count -
Thomas Rampelberg