[Zope] Hiding ZMI Pages
Cliff Ford
Cliff.Ford at ed.ac.uk
Fri Nov 5 08:15:22 EST 2004
Just to add to these comments:
bruno modulix wrote:
> Thomas Rampelberg wrote:
>
>> Is there a way to keep users from being able to see any of the
>> management pages?
>
>
> In the security tab, there's a 'View management screens'
>
>> For example, return a 404 error if someone tries to
>> go to http://zopesite/manage or http://zopesite/object/manage.
>
>
> If you run Zope behind Apache, you could take advantage of rewrite rules
> and access control to hide 'manage' urls from requests on port 80 while
> allowing'em on 8080 (or whatever port your Zope listen to).
You could do management through a secure shell:
ssh www.yoursite.com -L8080:localhost:8080
then use apache to allow only localhost:8080/manage requests to get to real
management urls.
>> In a similar vein, how would you go about keeping users from executing
>> python scripts or external methods by just typing in the path to that
>> object (http://zopesite/pythonscript) yet still let the pages that use
>> those methods to access them?
>
>
> It's in the fine manual, section "proxy roles".
Do you mean "Allow anonymous users to see a page that contains the
output from a script, but deny the anonymous user the ability to call
that script directly? In the FM it is not so obvious you do this:
1. Give the python script the View/Manager only permission, then
2. Call the script from a dtml document that has the Manager proxy role.
That at least stops the script from being called from the browser url
box. I am not sure this would do any good. If hackers want to get at
your script with fake data they could try calling your dtml document
with their own parameters.
Cliff
Sorry I seem to have stolen a thread - deleted original message.
More information about the Zope
mailing list