[Zope] Anonymous security
Brian Sullivan
briansullivan at gmail.com
Sat Dec 18 16:56:19 EST 2010
Yeah -- I rediscovered Proxy roles and that seems like the most
straightforward strategy -- not sure if there counter indicators
though that would make that strategy problematic.
On Sat, Dec 18, 2010 at 10:42 AM, Bart Jansen
<bart.jansen at esac.climbing.nl> wrote:
> Hi all,
>
> When I face a situation like Brian describes I am used to using Proxy
> roles on the publicly available script to give it permission to do the
> restricted actions. Is that a good approach or should I not use this?
>
> One of the difficulties when using Proxy roles is that they do not
> propagate to the scripts/methods being called by the script that has the
> Proxy roles set.
>
> Regards, Bart
>
> PS. I'm new on the mailing list. My name is Bart Jansen and in my spare
> time I manage a couple of Zope2 sites for non-profit student sports
> clubs in the Netherlands.
>
> Op 18-12-2010 8:10, Andreas Jung schreef:
>> http://collective-docs.plone.org/security/permissions.html#bypassing-permission-checks
>>
>> (works only from trusted code like browser views or package code - not
>> from PythonScripts)
>>
>> -aj
>>
>> Brian Sullivan wrote:
>>> I am looking at a situation (an online self registry process) where I
>>> want to allow a user that is not logged in to be able to create a user
>>> and do a number of other functions normally reserved for and
>>> restricted to logged in users with a fairly elevated rights. I need to
>>> perform these functions from a Python script.
>>
>>> What is the best strategy for doing this? I am thinking that creating
>>> a separate python script that has elevated rights and allowing
>>> Anonymous access to it and calling it from a script that does not have
>>> elevated rights is the best strategy to manage it. Am I creating a
>>> huge security hole by doing this?
>>> _______________________________________________
>>> Zope maillist - Zope at zope.org
>>> https://mail.zope.org/mailman/listinfo/zope
>>> ** No cross posts or HTML encoding! **
>>> (Related lists -
>>> https://mail.zope.org/mailman/listinfo/zope-announce
>>> https://mail.zope.org/mailman/listinfo/zope-dev )
>>
>>
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
>
>
More information about the Zope
mailing list