how to prevent URL access to an external method?
I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this? Thanks, PL
Click at the Proxy tab at method with "View" permission ----- Original Message ----- From: "Pedro LaWrench" <pedrolawrench@yahoo.com> I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?
Within the ExternalMethod you could check the ACTUAL_URL variable (in REQUEST) and if the name of the external method is found you could redirect the user to a "you're a baaad user" page. Jonathan ----- Original Message ----- From: "Pedro LaWrench" <pedrolawrench@yahoo.com> To: <zope@zope.org> Sent: Tuesday, April 28, 2009 11:04 AM Subject: [Zope] how to prevent URL access to an external method? I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this? Thanks, PL _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.12.6/2084 - Release Date: 04/28/09 06:15:00
I like this idea. Is this a standard approach in the Zope world? Surely this is a relatively common problem...at least it seems to me that the intention of external methods is to provide support routines with unrestricted python that are never meant to be called directly by users. Or are external methods the wrong way to do this? ----- Original Message ---- From: Jonathan (dev101) <dev101@magma.ca> To: Pedro LaWrench <pedrolawrench@yahoo.com>; zope@zope.org Sent: Tuesday, April 28, 2009 8:08:03 AM Subject: Re: [Zope] how to prevent URL access to an external method? Within the ExternalMethod you could check the ACTUAL_URL variable (in REQUEST) and if the name of the external method is found you could redirect the user to a "you're a baaad user" page. Jonathan ----- Original Message ----- From: "Pedro LaWrench" <pedrolawrench@yahoo.com> To: <zope@zope.org> Sent: Tuesday, April 28, 2009 11:04 AM Subject: [Zope] how to prevent URL access to an external method? I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this? Thanks, PL _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.12.6/2084 - Release Date: 04/28/09 06:15:00
Use a BrowserView?! -aj On Tue, Apr 28, 2009 at 17:04, Pedro LaWrench <pedrolawrench@yahoo.com>wrote:
I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?
Thanks, PL
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
I don't know what this means. BTW, I'm using Zope 2.9.8, if that matters, along with Plone 2.5.4. ________________________________ From: Andreas Jung <lists@zopyx.com> To: Pedro LaWrench <pedrolawrench@yahoo.com> Cc: zope@zope.org Sent: Tuesday, April 28, 2009 8:09:14 AM Subject: Re: [Zope] how to prevent URL access to an external method? Use a BrowserView?! -aj On Tue, Apr 28, 2009 at 17:04, Pedro LaWrench <pedrolawrench@yahoo.com> wrote: I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this? Thanks, PL _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pedro LaWrench wrote:
I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?
Add a REQUEST argument to your function, defaulting to None. The publisher will always pass the request in for that argument, while the other templates / scripts should not. E.g.: def doSomething(self, REQUEST=None): """ Don't call me directly via a URL!!! """ if REQUEST is not None: raise ValueError('Wicked, evil, naughty Zoot!') Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ9yLq+gerLs4ltQ4RAlj1AKDG4YIkceWD8yXpz0jvxqiN8Qlw2gCbBa9E tCVUTkjoRIPL8YjSzFHY528= =QbiL -----END PGP SIGNATURE-----
Excellent. Thank you all for the suggests. ----- Original Message ---- From: Tres Seaver <tseaver@palladion.com> To: zope@zope.org Sent: Tuesday, April 28, 2009 8:38:18 AM Subject: Re: [Zope] how to prevent URL access to an external method? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pedro LaWrench wrote:
I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?
Add a REQUEST argument to your function, defaulting to None. The publisher will always pass the request in for that argument, while the other templates / scripts should not. E.g.: def doSomething(self, REQUEST=None): """ Don't call me directly via a URL!!! """ if REQUEST is not None: raise ValueError('Wicked, evil, naughty Zoot!') Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ9yLq+gerLs4ltQ4RAlj1AKDG4YIkceWD8yXpz0jvxqiN8Qlw2gCbBa9E tCVUTkjoRIPL8YjSzFHY528= =QbiL -----END PGP SIGNATURE----- _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Why? It is more transparent and better way - use security tab. ----- Original Message ----- From: "Tres Seaver" <tseaver@palladion.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Pedro LaWrench wrote:
I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?
Add a REQUEST argument to your function, defaulting to None. The publisher will always pass the request in for that argument, while the other templates / scripts should not. E.g.:
def doSomething(self, REQUEST=None): """ Don't call me directly via a URL!!! """ if REQUEST is not None: raise ValueError('Wicked, evil, naughty Zoot!')
In my opinion Tres's way is the correct one for this case Why? Because the original must be is to run the script only for internal processes The main diference between an internal call and a user one is the REQUEST parameter and then the Tres's solution seems the more convenient way It's only my opinion 2009/4/28 Jaroslav Lukesh <lukesh@seznam.cz>
Why? It is more transparent and better way - use security tab.
----- Original Message ----- From: "Tres Seaver" <tseaver@palladion.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Pedro LaWrench wrote:
I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?
Add a REQUEST argument to your function, defaulting to None. The publisher will always pass the request in for that argument, while the other templates / scripts should not. E.g.:
def doSomething(self, REQUEST=None): """ Don't call me directly via a URL!!! """ if REQUEST is not None: raise ValueError('Wicked, evil, naughty Zoot!')
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Mis Cosas http://blogs.sistes.net/Garito Zope Smart Manager http://blogs.sistes.net/Garito/670
What would you change on the security tab? I still want my authenticated users to have access to the method as a call to it is made from unrestricted space (such as a page template), I just don't want them to call the method directly. ----- Original Message ---- From: Jaroslav Lukesh <lukesh@seznam.cz> To: zope@zope.org; Tres Seaver <tseaver@palladion.com> Sent: Tuesday, April 28, 2009 8:50:29 AM Subject: Re: [Zope] how to prevent URL access to an external method? Why? It is more transparent and better way - use security tab. ----- Original Message ----- From: "Tres Seaver" <tseaver@palladion.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Pedro LaWrench wrote:
I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?
Add a REQUEST argument to your function, defaulting to None. The publisher will always pass the request in for that argument, while the other templates / scripts should not. E.g.:
def doSomething(self, REQUEST=None): """ Don't call me directly via a URL!!! """ if REQUEST is not None: raise ValueError('Wicked, evil, naughty Zoot!')
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
MEthod1: security allow view only for manager Method2: contain calling of method1, security: view for anonymous or role what you want for. ----- Original Message ----- From: "Pedro LaWrench" <pedrolawrench@yahoo.com> What would you change on the security tab? I still want my authenticated users to have access to the method as a call to it is made from unrestricted space (such as a page template), I just don't want them to call the method directly. ----- Original Message ---- From: Jaroslav Lukesh <lukesh@seznam.cz> To: zope@zope.org; Tres Seaver <tseaver@palladion.com> Sent: Tuesday, April 28, 2009 8:50:29 AM Subject: Re: [Zope] how to prevent URL access to an external method? Why? It is more transparent and better way - use security tab.
On Tue, Apr 28, 2009 at 18:25, Pedro LaWrench <pedrolawrench@yahoo.com> wrote:
What would you change on the security tab? I still want my authenticated users to have access to the method as a call to it is made from unrestricted space (such as a page template)
A page template is restricted. If it really was unrestricted it would be called from Python code on the hard disk, and then you wouldn't need the external method.
I just don't want them to call the method directly.
So Tres method is the simplest one that does just this. -- Lennart Regebro: Python, Zope, Plone, Grok http://regebro.wordpress.com/ +33 661 58 14 64
Sorry, you are correct, I meant to say from restricted space. The external method is what gives me access to unrestricted python. I do plan on using Tres' method. ----- Original Message ---- From: Lennart Regebro <regebro@gmail.com> To: Pedro LaWrench <pedrolawrench@yahoo.com> Cc: Jaroslav Lukesh <lukesh@seznam.cz>; zope@zope.org; Tres Seaver <tseaver@palladion.com> Sent: Tuesday, April 28, 2009 11:12:20 AM Subject: Re: [Zope] how to prevent URL access to an external method? On Tue, Apr 28, 2009 at 18:25, Pedro LaWrench <pedrolawrench@yahoo.com> wrote:
What would you change on the security tab? I still want my authenticated users to have access to the method as a call to it is made from unrestricted space (such as a page template)
A page template is restricted. If it really was unrestricted it would be called from Python code on the hard disk, and then you wouldn't need the external method.
I just don't want them to call the method directly.
So Tres method is the simplest one that does just this. -- Lennart Regebro: Python, Zope, Plone, Grok http://regebro.wordpress.com/ +33 661 58 14 64
participants (7)
-
Andreas Jung -
Garito -
Jaroslav Lukesh -
Jonathan (dev101) -
Lennart Regebro -
Pedro LaWrench -
Tres Seaver