[Zope] RDBMS Applications and direct calling of script(python)and
sql methods
Erik Myllymaki
erik.myllymaki at aviawest.com
Thu Oct 9 18:54:21 EDT 2003
> On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
> > Lets take simple example, assume that each user has
> > an id that is keyed to his 'stuff'. The zsql method
> > must be passed this id to access his stuff. This is
> > all fine and good, A script(python) method could
> > provide this to the zsql method behind the scenes
> > without any great issue. The problem comes in when the
> > user attempts to access this zsql method from via its
> > url. Going this route he could pretty easily supply
> > and arbitrary id and get access to information that he
> > shouldn't have.
>
> Yes, that would be a problem... so don't do it that way. :-)
>
> Instead, have Zope provide you the name of the user from its
> authentication machinery. That's *much* harder to spoof.
>
> To get this, cook up a Python script called get_user and use this for
> the code:
>
> ----
> from AccessControl import getSecurityManager
> return getSecurityManager().getUser().getUserName()
> ----
>
> Now include a call to get_user() when you need to pass in the username
> as a parameter to your query.
Any reason why you shouldn't just use <dtml-var AUTHENTICATED_USER>
as a parameter to your SQL query?
just curious...
More information about the Zope
mailing list