[Zope] Is there any way to turn off the publishing of externalmethods to the web in Zope?

[Mark, Jonathan (Integic)]

I will add the URL test. In addition, I will pass a long symettric 64 bit key to the external method as a parameter, and require the external method to confirm that the correct key was passed. Since only I have access to my file system and to my ZMI this is sufficient.

Extraneously, I would like to say how excited I am about the willingness of Zopistas to respond to questions from an ordinary user like me. Everyone talks about the buzzword frameworks Django and RoR. But the most important factor for a user ought to be the ability to get support online. On this point I don't see how Zope could be much better, as long as we ordinary users don't abuse it.

Zope Corporation is opening an office in Northern Virginia, and that says to me that the commercial Zope community is growing. If I apply myself then maybe in a few years I would be part of it myself.

Just my two shekels.

-----Original Message-----
From: Jonathan [mailto:dev101 at magma.ca]
Sent: Friday, January 26, 2007 2:30 PM
To: Mark, Jonathan (Integic); zope at zope.org
Subject: Re: [Zope] Is there any way to turn off the publishing of
externalmethods to the web in Zope?



----- Original Message ----- 
From: "Mark, Jonathan (Integic)" <jonathan.mark at integic-hc.com>
To: "Jonathan" <dev101 at magma.ca>; <zope at zope.org>
Sent: Friday, January 26, 2007 2:32 PM
Subject: RE: [Zope] Is there any way to turn off the publishing of 
externalmethods to the web in Zope?


> Using a proxy role on the calling Python Script worked. My guess is that a 
> clever hacker could call the Python Script continually and then create a 
> race condition that would permit him to call the External Method directly 
> in a URL, thus passing the External Method his own malicious parameters.

That's why i suggested, in an earlier response, a URL test within the 
external method.


Jonathan