[ZPT] No proxy roles in page templates? What do I do then?
Itai Tavor
itai@optusnet.com.au
Thu, 27 Sep 2001 09:58:03 +1000
R. David Murray wrote:
>On Wed, 26 Sep 2001, Itai Tavor wrote:
>> If you mean that the PT will call a script which has proxy roles,
>> that wouldn't help at all IMO, because the script will need to be
>> publicly accessible, opening a security hole.
>>
>> I want to ensure that certain object interface methods are only
>> called by authorized methods, and are not accessible TTW nor by DTML
>> or PT methods written by other Zope users. So I protect those
>
>I fail to see a security difference between having a publicly accessible
>Template with a proxy Manager role and having a publicly accessible
>script with a proxy Manager role. In either case you control what
>is accepted as input and don't control what is done with the output
>(though granted it is harder to prize the info out of the results
>returned by the template).
>
>Maybe I'm just missing something, though...
What you're missing is what I failed to say :-)
My problem occurs when a method should only be visible to a single
unauthenticated user. For example, when a user is creating an order
in an e-commerce application, all the details of that order must only
be visible to that user. So every UI method related to the order
first verifies that the user is allowed to access it (by comparing
the current session key to a key stored in the order object), and
then uses a proxy role to access protected interface methods of the
order object and other objects related to the order.
If I now change the UI to use PTs, the user verification must also be
done by any and all scripts that access order data, which means that
a lot of methods will now have to perform the same test that before
was only needed in a single place, causing both unnecessary
duplication of code as well as waste of time. It will also make the
verification code itself more complicated, but I won't go into that
here. Or, I could write a single script for each UI method, which
would verify the user, then pull all the data that the UI method
requires, and return it in a dictionary to the PT. So now I would
need two methods for every one I used to have, and the PT would
become less clear and harder to manage.
All this trouble just because PTs don't have proxy roles? Why don't
they, anyway?
Itai
--
--
Itai Tavor -- "Je sautille, donc je suis." --
itai@optusnet.com.au -- - Kermit the Frog --
-- --
-- "If you haven't got your health, you haven't got anything" --