[Zope] Scripts run as least privileged user necessary?

Ken Causey ken at kencausey.com
Fri Sep 5 11:28:30 EDT 2003


On Fri, 2003-09-05 at 07:47, Chris Withers wrote:
> Ken Causey wrote:
> >>Indeed, but that's a nigh-on impossible task given the way HTTP and HTML work 
> >>together...
> > 
> > I don't understand why.  In the past I have made such checks in DTML and
> > ZPT pages and it seemed to work fine.  Is it not a common task to have a
> > page that has different behaviour based on the roles of the user?
> 
> HTTP is stateless. It has no notion of whether or not the request for an image 
> is within a page or not. Yeah, you can set a session variable or some other sort 
> of cookie, but if your image is anonymously viewable, that may well not help you.

Thanks for your continued explanation.  Now that I think about it the
example that I'm thinking of required authentication to view the page at
all which explains why role information was available.  In this case as
you are aware I'm trying to have a mixture of anonymous and
authenticated and clearly that's where I'm running into trouble.  Sorry
for my slow understanding.

Ken

> 
> Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.zope.org/pipermail/zope/attachments/20030905/12dff583/attachment.bin


More information about the Zope mailing list