[Zope] RDBMS Applications and direct calling of script(python)
and sql methods
Dylan Reinhardt
zope at dylanreinhardt.com
Thu Oct 9 18:31:21 EDT 2003
On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
> Lets take simple example, assume that each user has
> an id that is keyed to his 'stuff'. The zsql method
> must be passed this id to access his stuff. This is
> all fine and good, A script(python) method could
> provide this to the zsql method behind the scenes
> without any great issue. The problem comes in when the
> user attempts to access this zsql method from via its
> url. Going this route he could pretty easily supply
> and arbitrary id and get access to information that he
> shouldn't have.
Yes, that would be a problem... so don't do it that way. :-)
Instead, have Zope provide you the name of the user from its
authentication machinery. That's *much* harder to spoof.
To get this, cook up a Python script called get_user and use this for
the code:
----
from AccessControl import getSecurityManager
return getSecurityManager().getUser().getUserName()
----
Now include a call to get_user() when you need to pass in the username
as a parameter to your query.
HTH,
Dylan
More information about the Zope
mailing list