[Zope] Security of a Web Application in Zope

Dylan Reinhardt zope at dylanreinhardt.com
Wed Sep 24 16:08:38 EDT 2003


On Wed, 2003-09-24 at 10:32, Edward Pollard wrote:
> The project heirarchy basically looks like this:
> 
> /root
>    index.html
>    otherfiles.html
>    /queries
>        all Z SQL Methods
>    /scripts
>        all python scripts
> 
> 
> The problem as I percieve it is that you can feed my Z SQL Methods and 
> python scripts any input you want if you know what they are called.

Assuming you haven't taken any measures to prevent that, yes.

> 
> This is bad. Security via Obscurity is not secure.

Sure isn't.


> Anyone with better thoughts on securing my scenario? (Or, indeed, if I 
> need to turn my scenario on its head?)

Instead of grouping your objects by *type* you should group them by
*permissions* such that traversing further into the hierarchy enforces
increasingly strict permissions.

Read the Zope Book chapter on security, come up with some roles that
describe your different functional groups and configure your objects to
only respond to the roles you want using them.

http://zope.org/Documentation/Books/ZopeBook/2_6Edition/Security.stx

HTH,

Dylan





More information about the Zope mailing list