[Zope] Scripts run as least privileged user necessary?
Chris Withers
chrisw at nipltd.com
Thu Sep 4 10:54:26 EDT 2003
Ken Causey wrote:
> It is a precondition script whose goal is to try to prevent access to an
> image unless you are viewing it embedded within a page of my site.
A simpler solution is just to look at your logs every now and then and bitch at
people who are hijacking images ;-)
> The
> closest I've been able to come to this goal is to add a value to the
> session within the page and check in the precondition script for the
> image that the value is defined. Although not ideal this works
> sufficiently.
I think that's about as good as it'll get, HTTP and HTML are not designed to do
what you want them to...
> Where I'm running into the problem I described above is that I wanted to
> exempt managers from the check for the session variable. The obvious
> way to do that seemed to be to check the role of the user.
Indeed, but that's a nigh-on impossible task given the way HTTP and HTML work
together...
> I welcome any alternatives you can suggest.
Hmmm, why do you care so much about these images being hijacked?
cheers,
Chris
More information about the Zope
mailing list