[Zope] Idiom for accessing restricted capabilities

Andrew Athan aathan@memeplex.com
Thu, 26 Dec 2002 18:46:49 -0500


This is a multi-part message in MIME format.

------=_NextPart_000_001E_01C2AD0F.28D493D0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

 
Say you have a site which must perform certain restricted activites, but
those activities should be invokable by anonymous users IF AND ONLY IF
the users initiate them from an authorized source (e.g., a specific DTML
or ZPT script)...what is the recommended way of setting this up?
 
Example:  Site X allows anonymous users to purchase an item.  The
purchase() method is defined to be accessible only by a specific
trusted/authenticated user.  The purchase() method should not be
invokable by the anonymous user, but if the anonymous user access the
checkout page template, that page template should be able to invoke
purchase().
 
Now, say I want to invoke purchase() from an ExternalMethod that is
called from an anonymous context, what's the preferred way of setting
and supplying the appropriate credentials?
 
I have solved these problems "my way," think the solution is hairy and
dirty, and would therefore like to see what people's recommended
solutions are.
 
A.
 

------=_NextPart_000_001E_01C2AD0F.28D493D0
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1126" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial size=3D2>Say =
you have a site=20
which must perform certain restricted activites, but those activities =
should be=20
invokable by anonymous users IF AND ONLY IF the users initiate them from =
an=20
authorized source (e.g., a specific DTML or ZPT script)...what is the=20
recommended way of setting this up?</FONT></SPAN></DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial =
size=3D2>Example:&nbsp; Site=20
X allows anonymous users to purchase an item.&nbsp; The purchase() =
method is=20
defined to be accessible only by a specific trusted/authenticated =
user.&nbsp;=20
The purchase() method should not be invokable by the anonymous user, but =
if the=20
anonymous user access the checkout page template, that page template =
should be=20
able to invoke purchase().</FONT></SPAN></DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial size=3D2>Now, =
say I want to=20
invoke purchase() from an ExternalMethod that is called from an =
anonymous=20
context, what's the preferred way of setting and supplying the =
appropriate=20
credentials?</FONT></SPAN></DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial size=3D2>I have =
solved these=20
problems "my way," think the solution is hairy and dirty,&nbsp;and would =

therefore like to see what people's recommended solutions=20
are.</FONT></SPAN></DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
size=3D2>A.</FONT></SPAN></DIV>
<DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_001E_01C2AD0F.28D493D0--