[Zope] Zope 2, local python script security

Martijn Pieters mj at zopatista.com
Thu May 24 10:17:21 EDT 2007


On 5/23/07, David H <bluepaul at earthlink.net> wrote:
> I have a (zope 2.8.8-final) folder that gives users with the role
> "Authenticated"
> the following Permissions:
>
> -------------------------------
>    . access contents
>    . view
>    - note: no webDav or FTP access is allowed
> -------------------------------
>
> Playing around with wget and curl I find I can (with proper
> authentication) download the "published" but not raw source of zpt and
> python files available in the folder.
>
> So, for example, the script "\folder\pyDate" returns '2007/05/23' not
> its source, e.g.
>
> # module: pyDate
> from DateTime import DateTime
> return DateTime().Date()
>
> This is the behavior I want - as we have a requirement to keep source
> secure.
>
> I realize that source in Zope-Instance/Extensions is the most secure but
> I'm interested in local script security.

I am not sure what your question is, you didn't state any. I am
guessing that you want to know if there is any way Authenticated could
get at the source anyway. The answer to that question is:
no, unless users have additional permissions they cannot see the
sourcecode of DTML and Python scripts.

-- 
Martijn Pieters


More information about the Zope mailing list