[Zope] calling scripts from scripts and permission
Robert Rottermann
robert at redcor.ch
Thu Nov 25 14:02:49 EST 2004
Massimo,
there are two things to consider.
The rights of the first script which is manager and should therefore be
enough for what ever you want to do.
BUT:
the maximum rights it can acquire when running the second script are the
ones the owner of that script has.
To avoid cross scripting attacks a script will always run with the
rights of the script owner.
Otherwise you could try to trick some manager to execute a malicious
script you do not have enough credentials to run.
Robert
massimop at users.berlios.de wrote:
> Hi
>
> I would like to call script (the one called 'Script (python)', it should
> manage the properties of a Folder) from another that have a proxy of
> Manager
>
> My guess was that in this way the first one would be executed with
> Manager role, but actually I was wrong... it complain that I'm not
> "allowed to access 'manage_changeProperties' in this context"
>
> Am I doing something weird, or is this the way it should work?
>
> P.S.
> the same (first) script, called on the same Folder object whe the
> authenticated user is the owner of the Folder, works
>
>
> thanks
> massimo
>
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
>
More information about the Zope
mailing list