[Zope] Is there any way to turn off the publishing of externalmethods to the web in Zope?

Mark, Jonathan (Integic) jonathan.mark at integic-hc.com
Fri Jan 26 14:32:13 EST 2007


Using a proxy role on the calling Python Script worked. My guess is that a clever hacker could call the Python Script continually and then create a race condition that would permit him to call the External Method directly in a URL, thus passing the External Method his own malicious parameters. 

However, for now Proxy is sufficient. Thanks. 

-----Original Message-----
From: Jonathan [mailto:dev101 at magma.ca]
Sent: Friday, January 26, 2007 2:06 PM
To: Mark, Jonathan (Integic); Andreas Jung; zope at zope.org
Subject: Re: [Zope] Is there any way to turn off the publishing of
externalmethods to the web in Zope?

----- Original Message ----- 
From: "Mark, Jonathan (Integic)" <jonathan.mark at integic-hc.com>
To: "Andreas Jung" <lists at zopyx.com>; <zope at zope.org>
Sent: Friday, January 26, 2007 2:06 PM
Subject: RE: [Zope] Is there any way to turn off the publishing of 
externalmethods to the web in Zope?


> The relevant permission for an external method in 2.10.1 is "Access
> contents information."
>
> The problem is that the Zope application which calls my External Method
> from a Python Script always runs unauthenticated. I turned off in the
> ZMI my External Method's access for unauthenticated users, and left it
> on for "Owner." However, now users who call the Python Script which
> calls the External Method also get prompted for authentication.
>
> I need unauthenticated users to be able to run the calling Python
> Script.
>
> I wonder if there is some way for unauthenticated users of a Python
> Script to be dynamically assigned a Zope role at the start of the Python
> Script and then lose that role at the conclusion of the Python Script.
> Is that inherently unsafe even if it is possible?

You can assign a Proxy role to your python script, but this may not solve 
your problem as anyone who can access the python script will be able to 
execute the external method that the python script calls.


Jonathan 



More information about the Zope mailing list