[Zope] RDBMS Applications and direct calling of
script(python)andsql methods
Derek S. Wilson
dwilson at abrazohealth.com
Thu Oct 9 19:07:05 EDT 2003
Says keyerror AUTHENTICATED_USER when I try it.
Thanks,
Derek Wilson
-----Original Message-----
From: Erik Myllymaki [mailto:erik.myllymaki at aviawest.com]
Sent: Thursday, October 09, 2003 3:54 PM
To: zope at dylanreinhardt.com; Eric Merritt
Cc: Zope Users
Subject: Re: [Zope] RDBMS Applications and direct calling of
script(python)andsql methods
> On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
> > Lets take simple example, assume that each user has
> > an id that is keyed to his 'stuff'. The zsql method
> > must be passed this id to access his stuff. This is
> > all fine and good, A script(python) method could
> > provide this to the zsql method behind the scenes
> > without any great issue. The problem comes in when the
> > user attempts to access this zsql method from via its
> > url. Going this route he could pretty easily supply
> > and arbitrary id and get access to information that he shouldn't
> > have.
>
> Yes, that would be a problem... so don't do it that way. :-)
>
> Instead, have Zope provide you the name of the user from its
> authentication machinery. That's *much* harder to spoof.
>
> To get this, cook up a Python script called get_user and use this for
> the code:
>
> ----
> from AccessControl import getSecurityManager
> return getSecurityManager().getUser().getUserName()
> ----
>
> Now include a call to get_user() when you need to pass in the username
> as a parameter to your query.
Any reason why you shouldn't just use <dtml-var AUTHENTICATED_USER> as
a parameter to your SQL query?
just curious...
_______________________________________________
Zope maillist - Zope at zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
More information about the Zope
mailing list