Curtis Maloney writes:
I have just made a nice fresh Zope 2.3 install, and am having an odd problem with PythonScripts.
I add one from the management screen, enter the name, "add and edit", enter the code, the hit "save". Which dumps me to my index_html. Looks, as if you do no longer have the permission to use any management action.
Unfortunately, I can not tell you why. Dieter
Hello, I've written an external method that I call through xml-rpc. It lets me create files on the server from a stand-alone client application that runs on the workstation of my users. In testing it recently, I discovered that it will let me write files to secured folders within my Zope system, even though I'm not yet using the patch to xmlrpclib.py that supports authentication! I'm running Zope 2.2.5 under redhat 7.0. The external method is included below. Any clues would be appreciated. Thanks in advance.... Is it up to me to write my own security code when using an external method? -- import tempfile import OFS.content_types import OFS.FindSupport import string def EWSyncAdd(self, PARMS): """ Create a new DTMLDocument, Image, or File object """ try: filename = PARMS['filename'] except: return "missing parm: filename" try: timestamp = PARMS['timestamp'] except: return "missing parm: timestamp" try: contents = PARMS['contents'].data except: return "missing parm: contents" try: title = PARMS['title'] except: return "missing parm: title" truepathspec = fixRPCPath(self.REQUEST) folderObject = self.REQUEST.resolve_url(truepathspec) filespec = truepathspec + '/' + filename itemObject = None if filename in folderObject.objectIds(): return "object already exists" type, enc=OFS.content_types.guess_content_type(filename, contents) if type in ('text/html', 'text/xml', 'text/plain'): # Create a DTMLDocument object folderObject.manage_addDocument(filename, title) itemObject = self.REQUEST.resolve_url(filespec) itemObject.manage_edit(contents, title) elif type[:6]=='image/': # Create an Image object f = tempfile.TemporaryFile() f.write(contents) f.seek(0) folderObject.manage_addImage(filename, f, title=title) f.close() itemObject = self.REQUEST.resolve_url(filespec) else: # Create a File object f = tempfile.TemporaryFile() f.write(contents) f.seek(0) folderObject.manage_addFile(filename, f, title=title) f.close() itemObject = self.REQUEST.resolve_url(filespec) if itemObject.getProperty('EWTimeStamp') is None: itemObject.manage_addProperty('EWTimeStamp', timestamp, 'string') else: itemObject.manage_changeProperties(None, EWTimeStamp=timestamp) return "OK" def fixRPCPath(req): pathsegs = string.split(req['PATH_INFO'], '/') if pathsegs[1] == 'RPC2': del pathsegs[1] del pathsegs[-1] return 'http://' + req['HTTP_HOST'] + string.join(pathsegs, '/') -- Martin Stitt Chief Software Engineer Esker, Inc. email: marty.stitt@esker.com phone: (608) 273-6000 x331 fax: (608) 273-8227 web: http://www.esker.com
Marty Stitt wrote:
Is it up to me to write my own security code when using an external method?
Basically, yes. You can protect access to the "stub" within the ZODB using the Security tab, but the body of the external method has free reign. Shane
participants (3)
-
Dieter Maurer -
Marty Stitt -
Shane Hathaway