Hello, is it possible to set permissions, e.g. 'view', depending from the surfers domain? I need to protect files and folders from viewing by surfers outside our domains. I dont want a login screen! Any suggestions? Thanks, Marcus
On Thu, 28 Feb 2002, Marcus Bergmann wrote:
Hello,
is it possible to set permissions, e.g. 'view', depending from the surfers domain? I need to protect files and folders from viewing by surfers outside our domains. I dont want a login screen!
Haven't tried this, but would it work to: in outer folder, create user "bob" with low privileges (ie can't view documents in question) in inner folder, create user "bob" with same password and higher privileges (ie can view docs in question) __and__ with restricted domain list when zope goes to show bob the content, it would fail with the inner bob if he's not from the right domain and fall back on the outer bob who lacks the right privileges. Not sure if it would do this, though: it might not bubble up to the next bob. If it sounds interesting, check & see & let us know. -*- if this doesn't work, something more programmatic, like a SetAccessRule python script in the folder in question would work. This would compare the requester's domain and could raise an exception. It's not nice, clean declaration security like above, but, hey, it would get the job done. -*- btw: if you're using a different webserver (eg apache) as the front end, you might not be getting the real browser IP address proxied to you; you might be getting the IP address of your apache box. Search the list for messages about this for workarounds. -- Joel BURTON | joel@joelburton.com | joelburton.com | aim: wjoelburton Independent Knowledge Management Consultant
Joel Burton wrote:
On Thu, 28 Feb 2002, Marcus Bergmann wrote:
Hello,
is it possible to set permissions, e.g. 'view', depending from the surfers domain? I need to protect files and folders from viewing by surfers outside our domains. I dont want a login screen!
Haven't tried this, but would it work to:
in outer folder, create user "bob" with low privileges (ie can't view documents in question)
in inner folder, create user "bob" with same password and higher privileges (ie can view docs in question) __and__ with restricted domain list
when zope goes to show bob the content, it would fail with the inner bob if he's not from the right domain and fall back on the outer bob who lacks the right privileges.
Not sure if it would do this, though: it might not bubble up to the next bob. If it sounds interesting, check & see & let us know.
I dont want to do this beacause I dont want to force the users to login. I want Zope to check the domain, the user comes from and either to allow or deny access. No problem with DTML-Documents or -Methods. There I can query the REMOTE_HOST. But if I publish files, there is no way to run a script, is it?
-*-
if this doesn't work, something more programmatic, like a SetAccessRule python script in the folder in question would work. This would compare the requester's domain and could raise an exception. It's not nice, clean declaration security like above, but, hey, it would get the job done.
Ok, I could write such a script, but how do I run the script when the user acesses the contents of the folder? Lets say the user directly calls http://mydomain/myfolder/myfile.pdf.
-*-
btw: if you're using a different webserver (eg apache) as the front end, you might not be getting the real browser IP address proxied to you; you might be getting the IP address of your apache box. Search the list for messages about this for workarounds.
No problem, our Apache let the REMOTE_HOST name pass.
--
Joel BURTON | joel@joelburton.com | joelburton.com | aim: wjoelburton Independent Knowledge Management Consultant
In my view the missing of the possibility to deny/allow access to objects in Zope is a missing feature. You can do it easy with Apache, why not with Zope? Thanks, Marcus
There is somethin called precommand on files. Maybe you should try it. []'s Em Qui 28 Fev 2002 14:25, Marcus Bergmann escreveu:
Joel Burton wrote:
On Thu, 28 Feb 2002, Marcus Bergmann wrote:
Hello,
is it possible to set permissions, e.g. 'view', depending from the surfers domain? I need to protect files and folders from viewing by surfers outside our domains. I dont want a login screen!
Haven't tried this, but would it work to:
in outer folder, create user "bob" with low privileges (ie can't view documents in question)
in inner folder, create user "bob" with same password and higher privileges (ie can view docs in question) __and__ with restricted domain list
when zope goes to show bob the content, it would fail with the inner bob if he's not from the right domain and fall back on the outer bob who lacks the right privileges.
Not sure if it would do this, though: it might not bubble up to the next bob. If it sounds interesting, check & see & let us know.
I dont want to do this beacause I dont want to force the users to login. I want Zope to check the domain, the user comes from and either to allow or deny access. No problem with DTML-Documents or -Methods. There I can query the REMOTE_HOST. But if I publish files, there is no way to run a script, is it?
-*-
if this doesn't work, something more programmatic, like a SetAccessRule python script in the folder in question would work. This would compare the requester's domain and could raise an exception. It's not nice, clean declaration security like above, but, hey, it would get the job done.
Ok, I could write such a script, but how do I run the script when the user acesses the contents of the folder? Lets say the user directly calls http://mydomain/myfolder/myfile.pdf.
-*-
btw: if you're using a different webserver (eg apache) as the front end, you might not be getting the real browser IP address proxied to you; you might be getting the IP address of your apache box. Search the list for messages about this for workarounds.
No problem, our Apache let the REMOTE_HOST name pass.
--
Joel BURTON | joel@joelburton.com | joelburton.com | aim: wjoelburton Independent Knowledge Management Consultant
In my view the missing of the possibility to deny/allow access to objects in Zope is a missing feature. You can do it easy with Apache, why not with Zope?
Thanks, Marcus
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Sidnei da Silva X3ng Web Technology sidnei@x3ng.com.br
Sidnei da Silva wrote:
There is somethin called precommand on files. Maybe you should try it.
[]'s
OMG, where did my eyes go? I'm sure it would do it for me!
Em Qui 28 Fev 2002 14:25, Marcus Bergmann escreveu:
Joel Burton wrote:
On Thu, 28 Feb 2002, Marcus Bergmann wrote:
Hello,
is it possible to set permissions, e.g. 'view', depending from the surfers domain? I need to protect files and folders from viewing by surfers outside our domains. I dont want a login screen!
[snip] Thanks, Marcus
Oops. its precondition. Em Qui 28 Fev 2002 15:03, Sidnei da Silva escreveu:
There is somethin called precommand on files. Maybe you should try it.
[]'s
Em Qui 28 Fev 2002 14:25, Marcus Bergmann escreveu:
Joel Burton wrote:
On Thu, 28 Feb 2002, Marcus Bergmann wrote:
Hello,
is it possible to set permissions, e.g. 'view', depending from the surfers domain? I need to protect files and folders from viewing by surfers outside our domains. I dont want a login screen!
Haven't tried this, but would it work to:
in outer folder, create user "bob" with low privileges (ie can't view documents in question)
in inner folder, create user "bob" with same password and higher privileges (ie can view docs in question) __and__ with restricted domain list
when zope goes to show bob the content, it would fail with the inner bob if he's not from the right domain and fall back on the outer bob who lacks the right privileges.
Not sure if it would do this, though: it might not bubble up to the next bob. If it sounds interesting, check & see & let us know.
I dont want to do this beacause I dont want to force the users to login. I want Zope to check the domain, the user comes from and either to allow or deny access. No problem with DTML-Documents or -Methods. There I can query the REMOTE_HOST. But if I publish files, there is no way to run a script, is it?
-*-
if this doesn't work, something more programmatic, like a SetAccessRule python script in the folder in question would work. This would compare the requester's domain and could raise an exception. It's not nice, clean declaration security like above, but, hey, it would get the job done.
Ok, I could write such a script, but how do I run the script when the user acesses the contents of the folder? Lets say the user directly calls http://mydomain/myfolder/myfile.pdf.
-*-
btw: if you're using a different webserver (eg apache) as the front end, you might not be getting the real browser IP address proxied to you; you might be getting the IP address of your apache box. Search the list for messages about this for workarounds.
No problem, our Apache let the REMOTE_HOST name pass.
--
Joel BURTON | joel@joelburton.com | joelburton.com | aim: wjoelburton Independent Knowledge Management Consultant
In my view the missing of the possibility to deny/allow access to objects in Zope is a missing feature. You can do it easy with Apache, why not with Zope?
Thanks, Marcus
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Sidnei da Silva X3ng Web Technology sidnei@x3ng.com.br
On Thu, 28 Feb 2002, Sidnei da Silva wrote:
There is somethin called precommand on files. Maybe you should try it.
if this doesn't work, something more programmatic, like a SetAccessRule python script in the folder in question would work. This would compare the requester's domain and could raise an exception. It's not nice, clean declaration security like above, but, hey, it would get the job done.
Ok, I could write such a script, but how do I run the script when the user acesses the contents of the folder? Lets say the user directly calls http://mydomain/myfolder/myfile.pdf.
The whole point of an SetAccessRule is that it is *always* called automatically on all objects in and below the folderish object in which it is installed. -- Joel BURTON | joel@joelburton.com | joelburton.com | aim: wjoelburton Independent Knowledge Management Consultant
Does anyone know how to change the metatype of an object that already exists? I am trying to FTP some files into a Zope directory, but annoyingly they identify themselves as DTML documents, but I need them to be DTML Methods so that the DTML in the pages is useful... Any ideas? Jason __________________________________________________ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com
J. Joy writes:
Does anyone know how to change the metatype of an object that already exists?
I am trying to FTP some files into a Zope directory, but annoyingly they identify themselves as DTML documents, but I need them to be DTML Methods so that the DTML in the pages is useful... Look at "PUT_factory"s.
It would not be sufficient to change the "meta_type". Objects belong to classes that define their methods. Changing the class at runtime requires (in general) recreation of the object. Dieter
--On 28 February 2002 16:37 +0100 Marcus Bergmann <marcus.bergmann@isst.fhg.de> wrote:
Hello,
is it possible to set permissions, e.g. 'view', depending from the surfers domain? I need to protect files and folders from viewing by surfers outside our domains. I dont want a login screen!
Any suggestions?
One of the biggest secrets (IMHO) about Zope > 2.3.0 is buried in the doc/HISTORY.txt file: Zope 2.3.0 beta 2 Bugs Fixed - Changed the default support for "domain authentication mode" in UserFolder to be disabled by default. Domain auth mode was implemented for a very specific case long ago and causes a lot of overhead for anonymous accesses that are needless for the 99% case. People who actually want domain auth mode turned on may call a new 'setDomainAuthenticationMode' method to enable it if they wish. It's turned off by default. You need to turn it on. As a manager user, visit the URL of your acl_user folder and call its "setDomainAuthenticationMode" method: http://site/folder/acl_users/setDomainAuthenticationMode?domain_auth_mode=1 You then see the response: Domain authentication mode set to 1 Then you can restrict by IP address (using the Domains box in acl_users). Paul -- The Library, Tyndall Avenue, Univ. of Bristol, Bristol, BS8 1TJ, UK E-mail: paul.browning@bristol.ac.uk URL: http://www.bris.ac.uk/
Paul Browning wrote:
--On 28 February 2002 16:37 +0100 Marcus Bergmann <marcus.bergmann@isst.fhg.de> wrote:
Hello,
is it possible to set permissions, e.g. 'view', depending from the surfers domain? I need to protect files and folders from viewing by surfers outside our domains. I dont want a login screen!
Any suggestions?
After try and error with using the "domain authentication mode" without success, I use this workaround for my special case. For each file I want to publish I set the "Precondition" to "checkDomain". This is a method what checks if the surfer comes from our internal networks or from outside: <dtml-let trusted_domains="['1.2.3','4.5.6','7.8.9']"> #not the real domains :) <dtml-in trusted_domains> <dtml-let surfers_domain="_.string.join([_.string.split(REMOTE_ADDR, '.')[0], _.string.split(REMOTE_ADDR, '.')[1], _.string.split(REMOTE_ADDR, '.')[2]], '.')"> <dtml-if "surfers_domain == _['sequence-item']"> <dtml-return "1"> </dtml-if> </dtml-let> </dtml-in> <dtml-raise NotFound>Web Page Not Found</dtml-raise> </dtml-let> Thank you for helping me out :) Marcus
participants (6)
-
Dieter Maurer -
J. Joy -
Joel Burton -
Marcus Bergmann -
Paul Browning -
Sidnei da Silva