[Zope] RDBMS Applications and direct calling of
script(python)andsql methods
Derek S. Wilson
dwilson at abrazohealth.com
Thu Oct 9 19:44:22 EDT 2003
Yeah, using dtml-sqlvar fixed it. I'm having a different problem now...
I need to get a list of users in ACL_USERS to create a form where people
can assign stuff to different users. Here's the code for the display...
<SELECT NAME="AssignedTo">
<dtml-in "acl_users.getUserNames()">
<OPTION LABEL="<dtml-var sequence-item>" VALUE="<dtml-var
sequence-item>"><dtml-var sequence-item></OPTION>
</dtml-in>
</SELECT>
But when I try it using a regular (non-manager/owner) it says:
Error Type: Unauthorized
Error Value: You are not allowed to access getUserNames in this context
What could be wrong?
Thanks,
Derek Wilson
-----Original Message-----
From: Erik Myllymaki [mailto:erik.myllymaki at aviawest.com]
Sent: Thursday, October 09, 2003 4:34 PM
To: Derek S. Wilson; zope at dylanreinhardt.com; Eric Merritt
Cc: Zope Users
Subject: Re: [Zope] RDBMS Applications and direct calling of
script(python)andsql methods
I use this ZSQL method to return the ID number of my users:
------------------------------------------------------------------------
----
-------------
select employee_id from staff
where login = <dtml-sqlvar "REQUEST.get('AUTHENTICATED_USER')"
type=string>
------------------------------------------------------------------------
----
-------------
> Says keyerror AUTHENTICATED_USER when I try it.
>
> Thanks,
> Derek Wilson
>
>
> -----Original Message-----
> From: Erik Myllymaki [mailto:erik.myllymaki at aviawest.com]
> Sent: Thursday, October 09, 2003 3:54 PM
> To: zope at dylanreinhardt.com; Eric Merritt
> Cc: Zope Users
> Subject: Re: [Zope] RDBMS Applications and direct calling of
> script(python)andsql methods
>
>
> > On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
> > > Lets take simple example, assume that each user has
> > > an id that is keyed to his 'stuff'. The zsql method
> > > must be passed this id to access his stuff. This is
> > > all fine and good, A script(python) method could
> > > provide this to the zsql method behind the scenes
> > > without any great issue. The problem comes in when the user
> > > attempts to access this zsql method from via its url. Going this
> > > route he could pretty easily supply and arbitrary id and get
> > > access to information that he shouldn't have.
> >
> > Yes, that would be a problem... so don't do it that way. :-)
> >
> > Instead, have Zope provide you the name of the user from its
> > authentication machinery. That's *much* harder to spoof.
> >
> > To get this, cook up a Python script called get_user and use this
> > for the code:
> >
> > ----
> > from AccessControl import getSecurityManager
> > return getSecurityManager().getUser().getUserName()
> > ----
> >
> > Now include a call to get_user() when you need to pass in the
> > username
>
> > as a parameter to your query.
>
>
> Any reason why you shouldn't just use <dtml-var AUTHENTICATED_USER>
> as a parameter to your SQL query?
>
> just curious...
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
More information about the Zope
mailing list