[ZPT] No proxy roles in page templates? What do I do then?

Itai Tavor itai@optusnet.com.au
Thu, 27 Sep 2001 09:58:03 +1000 

R. David Murray wrote:

>On Wed, 26 Sep 2001, Itai Tavor wrote:
>>  If you mean that the PT will call a script which has proxy roles,
>>  that wouldn't help at all IMO, because the script will need to be
>>  publicly accessible, opening a security hole.
>>
>>  I want to ensure that certain object interface methods are only
>>  called by authorized methods, and are not accessible TTW nor by DTML
>>  or PT methods written by other Zope users. So I protect those
>
>I fail to see a security difference between having a publicly accessible
>Template with a proxy Manager role and having a publicly accessible
>script with a proxy Manager role.  In either case you control what
>is accepted as input and don't control what is done with the output
>(though granted it is harder to prize the info out of the results
>returned by the template).
>
>Maybe I'm just missing something, though...

What you're missing is what I failed to say :-)

My problem occurs when a method should only be visible to a single 
unauthenticated user. For example, when a user is creating an order 
in an e-commerce application, all the details of that order must only 
be visible to that user. So every UI method related to the order 
first verifies that the user is allowed to access it (by comparing 
the current session key to a key stored in the order object), and 
then uses a proxy role to access protected interface methods of the 
order object and other objects related to the order.

If I now change the UI to use PTs, the user verification must also be 
done by any and all scripts that access order data, which means that 
a lot of methods will now have to perform the same test that before 
was only needed in a single place, causing both unnecessary 
duplication of code as well as waste of time. It will also make the 
verification code itself more complicated, but I won't go into that 
here. Or, I could write a single script for each UI method, which 
would verify the user, then pull all the data that the UI method 
requires, and return it in a dictionary to the PT. So now I would 
need two methods for every one I used to have, and the PT would 
become less clear and harder to manage.

All this trouble just because PTs don't have proxy roles? Why don't 
they, anyway?

Itai
-- 
--
Itai Tavor                      -- "Je sautille, donc je suis."    --
itai@optusnet.com.au            --               - Kermit the Frog --
--                                                                 --
-- "If you haven't got your health, you haven't got anything"      --