[Zope-dev] access of non html documents

[Casey Duncan]

One way to do this is to peek at the HTTP_REFERER value coming from the=20
browser before you serve the document. If the document is in a file objec=
t,=20
then you can use a precondition for this, which is a callable object.

It could be written as follows in a python script:

request =3D context.REQUEST
if not request.HTTP_REFERER.startswith(request.SERVER_URL):
    raise 'NotFound'

If you make a script and then specify it for the preconditions of your fi=
les,=20
then it would only allow downloads coming from another URL on your site. =
No=20
direct URL or linking from outside would be allowed with a standard brows=
er.

However, one could easily circumvent this by spoofing the HTTP_REFERER on=
 the=20
client. This would assume a certain level of sophistication on the part o=
f=20
the would be spoofer.

To make it a bit harder you could use sessions or cookies and validate th=
ose=20
in your precondition instead. This would be harder to fool if you did it=20
right.

-Casey

On Tuesday 12 November 2002 07:11 pm, General Info wrote:
> i have the following situation.
> i want the users to be able to download non html documents if that docu=
ment=20
is refered to from an html document. however, i dont want the users to be=
=20
able to type the url and document name on the url box of their browers an=
d be=20
able to download it.
> for example:
> the documents exist in http://www.wwwdotcom.com/nonhtmldocs/doc1.pdf
> however, i dont want the users to type that url on their browser and ac=
cess=20
doc1.pdf
> i only want them to access it if that particular document is linked fro=
m an=20
html document.
> i have seen some websites that do that w/ images. how can i do that on =
zope?=20
is it possible?=20
>=20
> i would appreciate any comments/suggesstions.
>=20
> -roberto
>=20