[Zope] Quick Security Question (Anonymous "Add Documents, Ima ges, and Files")

Jeffrey Robinson Jeffrey.Robinson@MCICoach.com
Thu, 8 Nov 2001 08:02:29 -0600


It may be easier/safer to use the proxy tab on your python script to give it
"manager" status (or the like) giving only the script the ability to upload
images.

Without a proxy the script would run with the permissions of the requesting
user.

Jeff

> -----Original Message-----
> From:	Adam Warner [SMTP:lists@consulting.net.nz]
> Sent:	Thursday, November 08, 2001 6:58 AM
> To:	zope@zope.org
> Subject:	[Zope] Quick Security Question (Anonymous "Add Documents,
> Images, and Files")
> 
> Hi all,
> 
> I have a python script that does a manage_addFile (it generates a cached
> version of a converted file the first time the page is viewed). To allow
> anon users to access the page itself I've had to allow anon "Add
> Documents, Images, and Files" in the root folder security. I've disabled
> it again while I await confirmation.
> 
> These are the only options available to me in the python script's security
> settings:
> 
> Access contents information
> Change Python Scripts
> Change bindings
> Change cache settings
> Change permissions
> Change proxy roles
> Delete objects
> Manage WebDAV Locks
> Manage properties
> Take ownership
> Undo changes
> View
> View History
> View management screens
> WebDAV Lock items
> WebDAV Unlock items
> WebDAV access
> 
> My question is: Does enabling website wide anonymous "Add Documents,
> Images, and Files" mean users will be able to upload files, etc.
> indiscriminately? Or does it just mean anon user-initiated scripts and
> forms that generate files will work?
> 
> Thanks,
> Adam