External Method and XML-PRC (Maybe a bug)
Hi, Iam trying to use Zope as an App server (basically to provide an XML-RPC interface) for a certain application . I have a function called addFile in the External Method. def ext_addfile(self): ob=self.Files ob.manage_addFile("hello","hello") I created an external method call ext_addFile() Now I write my client using xml-rpc lib s=xmlrpclib.Server("<hostname>") s.ext_addFile() And this adds a file to my directory. This freaked me out. Because i was anonymous user and this shdnt happen. The next thing i did was create a python script of the same structure and called it addFile() ob=context.Files ob.manage_addFile("hello","hello") Now I run my client xml-rpc program s=xmlrpclib.Server("<hostname>") s.addFile() and its fiving me unauthorized as expected. So basically i dont know why is this happening. Is this due to some permission problems i have on the directory or External Methods, or something which iam totally missing. -- Phani Kumar Arava Grad Student 1560 Worthington Street Department Of Computer Science Columbus Ohio 43201 2015 Neil Avenue Ohio State University Columbus Ohio-43210 Contact: (614)-286-2618 URL : www.cse.ohio-state.edu/~arava/ mailto: arava.3@osu.edu,phani.arava@gmail.com, arava_phani@yahoo.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Phani Kumar Arava wrote:
Hi, Iam trying to use Zope as an App server (basically to provide an XML-RPC interface) for a certain application .
I have a function called addFile in the External Method.
def ext_addfile(self): ob=self.Files ob.manage_addFile("hello","hello")
I created an external method call ext_addFile()
Now I write my client using xml-rpc lib
s=xmlrpclib.Server("<hostname>") s.ext_addFile()
And this adds a file to my directory. This freaked me out. Because i was anonymous user and this shdnt happen. The next thing i did was create a python script of the same structure and called it addFile()
ob=context.Files ob.manage_addFile("hello","hello")
Now I run my client xml-rpc program s=xmlrpclib.Server("<hostname>") s.addFile()
and its fiving me unauthorized as expected.
So basically i dont know why is this happening. Is this due to some permission problems i have on the directory or External Methods, or something which iam totally missing.
By design, ExternalMethods run as "trusted" code -- if a user has "View" permission on the EM object, then its code will run, without performing the security checks done by "untrusted" PythonScript objects. You need either to protect the EM object itself (removing the "View" permission on that object should be enough), or else do the security check within the EM code itself. E.g.:: from AccessControl import getSecurityManager, Unauthorized from AccessControl.Permissions import add_documents_images_and_files sm = getSecurityManager() if not sm.checkPermission(add_documents_images_and_files, self): raise Unauthorized("Can't add files here!") Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFpE+7+gerLs4ltQ4RAqS7AKCyr38A61sxIl4PvxdF5XYUcSVv3QCfb80T NeXVyp3fpSX0K6XpHeBlVZg= =jDHJ -----END PGP SIGNATURE-----
participants (2)
-
Phani Kumar Arava -
Tres Seaver