[ZPT] How are you ZPT users securing your interfaces?
Tino Wildenhain
tino at wildenhain.de
Tue Feb 1 16:31:26 EST 2005
Am Dienstag, den 01.02.2005, 20:19 +0000 schrieb Kevin Gill:
> I know this has come up before, but I cannot see a solution to the problem
> in the archives.
>
> I have a Zope application written using Page Templates (Presentation
> Templates?) to interface to the user. I cannot see how to prevent a
> malicious visitor from by-passing the Template and accessing the python
> scripts and ZSQL methods behind it.
>
> In the DTML world I can use proxy roles to achieve this, but proxy roles
> have been specifically and deliberately omitted from the Template
> implementation in Zope. I cannot find any documentation describing why they
> were omitted (I presume that they create other problems for the ZPT
> developers), or how to secure your system using ZPT.
>
> I can think of the following options only (none are practical):
>
> 1. Use DTML for security
> 2. Put a layer in python in front of the Presentation layer
> 3. Ignore Security
>
> How are you ZPT users securing your interfaces?
Just build a sane interface out of python scripts or product
methods and secure them (by means of proxyroles and permissions
as they fit) and dont worry if the user can access the same
information with or without fancy HTML layer.
Regards
Tino
More information about the ZPT
mailing list