[Zope] Quick Security Question (Anonymous "Add Documents, Ima
ges, and Files")
Jeffrey Robinson
Jeffrey.Robinson@MCICoach.com
Thu, 8 Nov 2001 08:02:29 -0600
It may be easier/safer to use the proxy tab on your python script to give it
"manager" status (or the like) giving only the script the ability to upload
images.
Without a proxy the script would run with the permissions of the requesting
user.
Jeff
> -----Original Message-----
> From: Adam Warner [SMTP:lists@consulting.net.nz]
> Sent: Thursday, November 08, 2001 6:58 AM
> To: zope@zope.org
> Subject: [Zope] Quick Security Question (Anonymous "Add Documents,
> Images, and Files")
>
> Hi all,
>
> I have a python script that does a manage_addFile (it generates a cached
> version of a converted file the first time the page is viewed). To allow
> anon users to access the page itself I've had to allow anon "Add
> Documents, Images, and Files" in the root folder security. I've disabled
> it again while I await confirmation.
>
> These are the only options available to me in the python script's security
> settings:
>
> Access contents information
> Change Python Scripts
> Change bindings
> Change cache settings
> Change permissions
> Change proxy roles
> Delete objects
> Manage WebDAV Locks
> Manage properties
> Take ownership
> Undo changes
> View
> View History
> View management screens
> WebDAV Lock items
> WebDAV Unlock items
> WebDAV access
>
> My question is: Does enabling website wide anonymous "Add Documents,
> Images, and Files" mean users will be able to upload files, etc.
> indiscriminately? Or does it just mean anon user-initiated scripts and
> forms that generate files will work?
>
> Thanks,
> Adam