[Zope] Hiding ZMI Pages
The Count
the.count at count0.dyndns.org
Thu Nov 4 18:58:02 EST 2004
On Thu, 4 Nov 2004 16:43:19 -0700, Thomas Rampelberg
<pyronicide at gmail.com> wrote:
> Is there a way to keep users from being able to see any of the
> management pages? For example, return a 404 error if someone tries to
> go to http://zopesite/manage or http://zopesite/object/manage.
This would also apply to yourself wanting to access the ZMI,
are you sure you want to do this?
Unless they can authenticate they will not see the ZMI ... they'd need to
login as a user with the "Manager" role.
(or be granted this access through a script using a manager proxy role
executing arbitary code because it trusted a form field passed to it by a
user *g*...)
To hide the ZMI from users knowledgeable about Zope you could modify the
source to use a different URI for the ZMI but I'd advise against this
since you'd have to reiterate the procedure over each newly upgraded zope.
>
> In a similar vein, how would you go about keeping users from executing
> python scripts or external methods by just typing in the path to that
> object (http://zopesite/pythonscript) yet still let the pages that use
> those methods to access them?
Protect them via the "Security" TAB (in ZMI) then only users with the
required priviledges can render, inspect and/or modify the so restrained
Z-Object.
--
---
The Count
More information about the Zope
mailing list