[Zope] how to prevent URL access to an external method?

Tres Seaver tseaver at palladion.com
Tue Apr 28 11:38:18 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pedro LaWrench wrote:
> I need to do something on the filesystem, which requires unrestricted
> python, so I created an external method. The problem is that anyone
> can call that directly via URL, so I added a permission check. Even
> then, users with the sufficient permissions can call this via URL,
> which I don't want them to do. I only want them to have access
> indirectly from other pages (such as a page template that will pass
> sane parameters). Is there anyway to do this?

Add a REQUEST argument to your function, defaulting to None.  The
publisher will always pass the request in for that argument, while the
other templates / scripts should not.  E.g.:

 def doSomething(self, REQUEST=None):
     """ Don't call me directly via a URL!!!
     """
     if REQUEST is not None:
         raise ValueError('Wicked, evil, naughty Zoot!')


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ9yLq+gerLs4ltQ4RAlj1AKDG4YIkceWD8yXpz0jvxqiN8Qlw2gCbBa9E
tCVUTkjoRIPL8YjSzFHY528=
=QbiL
-----END PGP SIGNATURE-----



More information about the Zope mailing list