[Zope] Re: Fundamentals of Zope Security
Josef Meile
jmeile at hotmail.com
Fri Sep 17 15:36:42 EDT 2004
Hi Edward,
> Simple problem: a password change form.
>
> The form is a page template. It submits to another page template. This
> page template calls a python script that changes your password in LDAP
> (via external methods). I'm leaving off quite a bit, here, of course.
>
> How can I secure the python scripts so that clever users cannot
> arbitrarily execute them?
First you have to protect the templates and scripts assigning no-view
permissions for Anonymous. Then you could get the authenticated user
from the external method and see if he's changing its own password;
otherwise, you could raise an Unauthorized exception.
Regards,
Josef
More information about the Zope
mailing list