[Zope] Security?
Goldthwaite, Joe
joe at goldthwaites.com
Mon Dec 1 11:27:34 EST 2003
Thanks Dylan, Derek, Peter & Tim for your help on how to access URL
parameter and on the best approach to take on my project. It helped a lot!
I was able to call my routine, pass the parameters to it, and get a result
back. I felt like I was almost there...then I hit a snag.
I had a routine that was producing an HTML representation of my Income
Statement. I worked it over so that it just returned the data in a list of
line objects. When I hooked that into Zope and tried to run it, I got the
Zope Logon screen. I traced it down to my use of the mx.ODBC module that
I'm using to pull in the data. If I take it out, I no longer get the login
screen.
I figured that executing an external module was not allowed under my (only)
login so I set about the task of finding where to change the permissions to
allow my module to execute. I haven't been able to figure it out! I know
that somewhere, there's a place where you can tell Zope that your module is
safe but nothing I tired worked.
The Zope Book talks about "executable content". I went to the security
settings of my IncomeStatementScript object but I didn't see any permissions
related to allowing modules to execute.
In /Control_Panel/Products/PythonScripts on the README tab, it describes a
method of adding an __init__.py module to a folder in the package directory
with and example of "allow_module(base64) allow_module(re)
allow_module(DateTime.DateTime)". I tried moving my object to a folder in
packages and adding the __init__.py file with "allow_module(ISLines)" but it
choked on the allow_module routine. I tried various things to get
allow_module to work but nothing did. I'm thinking that maybe it's an older
way of doing things that doesn't work anymore.
I found a big list of permissions on the DEFINE PERMISSIONS tab of
/Control_Panel/Products/PythonScripts. That is a bizarre screen! It has a
list of object permissions followed by combo boxes each of which is set to
disabled. I intuitively thought that you would set the permission from
disabled to enabled if you wanted to activate it. Nope. If you pull down
the combo box, you see the entire list of permissions. I'm not getting that
screen at all. What would happen if you set the "Access Transient Objects"
box from "(disabled)" to "Add RAM Cache Managers"?
I tried making my module an external method but it also choked on the import
mx.ODBC line. As a side question, the external method asks for a routine
and function name. I'm trying to execute a class. It has functions in it
but it's not a single function. Are external modules ONLY for specific
functions? Do they work with Python classes at all?
I tend to get wordy so I guess the simplest question is how do I get Zope to
allow me to execute my ISLines.py module?
More information about the Zope
mailing list