[Zope] Idiom for accessing restricted capabilities

Kevin Carlson khcarlso@bellsouth.net
Thu, 26 Dec 2002 21:44:25 -0500


This is a multi-part message in MIME format.

------=_NextPart_000_0002_01C2AD27.F5AF6E80
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

MessageSounds like you should use a proxy role for the methods in question.

Kevin
  -----Original Message-----
  From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Andrew
Athan
  Sent: Thursday, December 26, 2002 6:47 PM
  To: zope@zope.org
  Subject: [Zope] Idiom for accessing restricted capabilities



  Say you have a site which must perform certain restricted activites, but
those activities should be invokable by anonymous users IF AND ONLY IF the
users initiate them from an authorized source (e.g., a specific DTML or ZPT
script)...what is the recommended way of setting this up?

  Example:  Site X allows anonymous users to purchase an item.  The
purchase() method is defined to be accessible only by a specific
trusted/authenticated user.  The purchase() method should not be invokable
by the anonymous user, but if the anonymous user access the checkout page
template, that page template should be able to invoke purchase().

  Now, say I want to invoke purchase() from an ExternalMethod that is called
from an anonymous context, what's the preferred way of setting and supplying
the appropriate credentials?

  I have solved these problems "my way," think the solution is hairy and
dirty, and would therefore like to see what people's recommended solutions
are.

  A.

------=_NextPart_000_0002_01C2AD27.F5AF6E80
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 5.50.4915.500" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D202124202-27122002><FONT face=3DArial color=3D#0000ff =
size=3D2>Sounds=20
like you should use a proxy role for the methods in=20
question.</FONT></SPAN></DIV>
<DIV><SPAN class=3D202124202-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D202124202-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2>Kevin</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
  <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
  size=3D2>-----Original Message-----<BR><B>From:</B> =
zope-admin@zope.org=20
  [mailto:zope-admin@zope.org]<B>On Behalf Of </B>Andrew =
Athan<BR><B>Sent:</B>=20
  Thursday, December 26, 2002 6:47 PM<BR><B>To:</B>=20
  zope@zope.org<BR><B>Subject:</B> [Zope] Idiom for accessing restricted =

  capabilities<BR><BR></FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial size=3D2>Say =
you have a=20
  site which must perform certain restricted activites, but those =
activities=20
  should be invokable by anonymous users IF AND ONLY IF the users =
initiate them=20
  from an authorized source (e.g., a specific DTML or ZPT script)...what =
is the=20
  recommended way of setting this up?</FONT></SPAN></DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial =
size=3D2>Example:&nbsp;=20
  Site X allows anonymous users to purchase an item.&nbsp; The =
purchase() method=20
  is defined to be accessible only by a specific trusted/authenticated=20
  user.&nbsp; The purchase() method should not be invokable by the =
anonymous=20
  user, but if the anonymous user access the checkout page template, =
that page=20
  template should be able to invoke purchase().</FONT></SPAN></DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial size=3D2>Now, =
say I want to=20
  invoke purchase() from an ExternalMethod that is called from an =
anonymous=20
  context, what's the preferred way of setting and supplying the =
appropriate=20
  credentials?</FONT></SPAN></DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial size=3D2>I =
have solved=20
  these problems "my way," think the solution is hairy and =
dirty,&nbsp;and would=20
  therefore like to see what people's recommended solutions=20
  are.</FONT></SPAN></DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
  size=3D2>A.</FONT></SPAN></DIV>
  <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
  size=3D2></FONT></SPAN>&nbsp;</DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0002_01C2AD27.F5AF6E80--