[Zope] RDBMS Applications and direct calling of
script(python)andsql methods
Erik Myllymaki
erik.myllymaki at aviawest.com
Thu Oct 9 19:34:18 EDT 2003
I use this ZSQL method to return the ID number of my users:
----------------------------------------------------------------------------
-------------
select employee_id from staff
where login = <dtml-sqlvar "REQUEST.get('AUTHENTICATED_USER')" type=string>
----------------------------------------------------------------------------
-------------
> Says keyerror AUTHENTICATED_USER when I try it.
>
> Thanks,
> Derek Wilson
>
>
> -----Original Message-----
> From: Erik Myllymaki [mailto:erik.myllymaki at aviawest.com]
> Sent: Thursday, October 09, 2003 3:54 PM
> To: zope at dylanreinhardt.com; Eric Merritt
> Cc: Zope Users
> Subject: Re: [Zope] RDBMS Applications and direct calling of
> script(python)andsql methods
>
>
> > On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
> > > Lets take simple example, assume that each user has
> > > an id that is keyed to his 'stuff'. The zsql method
> > > must be passed this id to access his stuff. This is
> > > all fine and good, A script(python) method could
> > > provide this to the zsql method behind the scenes
> > > without any great issue. The problem comes in when the
> > > user attempts to access this zsql method from via its
> > > url. Going this route he could pretty easily supply
> > > and arbitrary id and get access to information that he shouldn't
> > > have.
> >
> > Yes, that would be a problem... so don't do it that way. :-)
> >
> > Instead, have Zope provide you the name of the user from its
> > authentication machinery. That's *much* harder to spoof.
> >
> > To get this, cook up a Python script called get_user and use this for
> > the code:
> >
> > ----
> > from AccessControl import getSecurityManager
> > return getSecurityManager().getUser().getUserName()
> > ----
> >
> > Now include a call to get_user() when you need to pass in the username
>
> > as a parameter to your query.
>
>
> Any reason why you shouldn't just use <dtml-var AUTHENTICATED_USER> as
> a parameter to your SQL query?
>
> just curious...
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
More information about the Zope
mailing list