[Zope-CMF] Controlling permissions for actions
Jens Vagelpohl
jens at dataflake.org
Thu Sep 27 06:40:59 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 27 Sep 2007, at 12:19, Charlie Clark wrote:
> Hi,
>
> how do I control access to a PythonScript that should only be
> available as an action? I've setup the action for the site and
> given it a permission but this seems only to affect it's visibility
> for users.
>
> ie. I have a script manage_wombats and configured action for it
> with the Permission "Manage portal". It is listed as an action only
> for managers but is globally available as a URL.
If you have a script somewhere in the skins or in your site it will
*always* be available for people who call it up directly by URL.
There is no builtin mechanism in Zope or the CMF to control that. You
could do some "manual" checking inside the script to make sure the
calling user has the right permissions or the script is not called by
direct URL traversal.
jens
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFG+4i7RAx5nvEhZLIRAt1WAJwNh6gRJUtBRWRr+YiOQPsS3/30tQCdFMY0
ZOCbsqK3aHm2+meX7uc3hKA=
=AYPK
-----END PGP SIGNATURE-----
More information about the Zope-CMF
mailing list