[Zope] Fundamentals of Zope Security

Andreas Jung lists at andreas-jung.com
Fri Sep 17 13:34:29 EDT 2004



--On Freitag, 17. September 2004 11:26 Uhr -0600 Edward Pollard 
<pollej at uleth.ca> wrote:

> Hello all,
>
> Simple problem: a password change form.
>
> The form is a page template. It submits to another page template. This
> page template calls a python script that changes your password in LDAP
> (via external methods). I'm leaving off quite a bit, here, of course.
>
> How can I secure the python scripts so that clever users cannot
> arbitrarily execute them?

Write the script in a way that you determine the username based on the
authentencation from Zope (getSecurityManager().getUser().getUserName())
and then change the password in LDAP using the passed password from the 
form.
This should be safe enough since the script does not allow you to pass the 
username
and it will only change the password for the logged in user. I don't see a 
way to fake
authentication at this point.

-aj




More information about the Zope mailing list