[Zope] Re: Re: [Security] How to encrypt a Zope oid ?
Passin, Tom
tpassin at mitretek.org
Mon Sep 15 12:48:15 EDT 2003
[Sinclair]
> Example : a document has url :
> $ZOPE/.../document_manager/document_37.
>
> I wish the displayed url looks like :
> $ZOPE/.../document_manager?document=k2316fge54dsgb51v3vsdv4
>
> That is the document_manager who translates an unreadable parameter to
> document real url.
>
> What I want to avoid is somebody trying to access manually to
> document_38,
> document_39, etc., just to add more security...
>
If I wanted to look at the document, I would just copy and paste that
document number. Do you really mean that you do not want people to be
able to __guess__ other neraby URLs? Why would you not want that?
If you think that an unauthorized person should not be able to view a
given page, you need to apply some authorization machinary. An
obfuscated URL is not really enough. If that is not what you mean, then
presumably you are willing to allow any user to access those pages.
Why, then, would you want to make it harder for them to do so? If you
want the pages to appear only within their intended frame, a user with
the right browser can easily defeat that intention unless you enforce it
using javascript in the page.
Please explain further why you wish to restrict access to those pages,
then maybe you will get more useful suggestions.
Cheers,
Tom P
More information about the Zope
mailing list