[Zope] Hiding ZMI Pages

Cliff Ford Cliff.Ford at ed.ac.uk
Fri Nov 5 08:15:22 EST 2004


Just to add to these comments:

bruno modulix wrote:
> Thomas Rampelberg wrote:
> 
>> Is there a way to keep users from being able to see any of the
>> management pages? 
> 
> 
> In the security tab, there's a 'View management screens'
> 
>> For example, return a 404 error if someone tries to
>> go to http://zopesite/manage or http://zopesite/object/manage.
> 
> 
> If you run Zope behind Apache, you could take advantage of rewrite rules 
> and access control to hide 'manage' urls from requests on port 80 while 
> allowing'em on 8080 (or whatever port your Zope listen to).

You could do management through a secure shell:

ssh www.yoursite.com -L8080:localhost:8080

then use apache to allow only localhost:8080/manage requests to get to real
management urls.

>> In a similar vein, how would you go about keeping users from executing
>> python scripts or external methods by just typing in the path to that
>> object (http://zopesite/pythonscript) yet still let the pages that use
>> those methods to access them?
> 
> 
> It's in the fine manual, section "proxy roles".

Do you mean "Allow anonymous users to see a page that contains the 
output from a script, but deny the anonymous user the ability to call 
that script directly? In the FM it is not so obvious you do this:

1. Give the python script the View/Manager only permission, then

2. Call the script from a dtml document that has the Manager proxy role.

That at least stops the script from being called from the browser url 
box. I am not sure this would do any good. If hackers want to get at 
your script with fake data they could try calling your dtml document 
with their own parameters.

Cliff

Sorry I seem to have stolen a thread - deleted original message.


More information about the Zope mailing list