[ZPT] How are you ZPT users securing your interfaces?

Kevin Gill Kevin.Gill at newaddress.ie
Wed Feb 2 16:23:14 EST 2005 

My thanks to Tino and  Philip for taking the time to respond.

With respect to Tino's approach, these would require that Security is 
designed in at an early stage. Unfortunately, I designed it into my 
application at an early stage based on false assumptions about the 
underlying model.

Philip, you are using Apache to restrict access to inner components. This is 
a clever approach, but since Zope has a comprehensive security mechanism I 
will use that instead of trying my hand at apache configuration.

My business layer currently has about 80 exposed methods between python 
scripts and ZSQL scripts (they add up very quickly). This would be quite 
difficult to re-engineer at this stage. I have 6 separate interfaces (each 
very simple), 4 browser interfaces (one user, one call centre, one 
administrator, one corporate) and 2 XML for an offline browser and an 
administrative client which can do things a browser cannot. In my situation, 
I feel that using proxy roles is the only practical approach.

I had a look a the page template management (ZMI) class and it is very 
straightforward to copy the Proxy Role code (ZMI interface) from the 
PythonScripts management class (ZMI). The proxy roles seem to work. If I 
have any problems with them down the road, I will let this list know.

In the mean time, if anyone out there knows of any pitfall that I am walking 
into, please let me know.

Thanks again to Philip and Tino.

Regards

Kevin

----- Original Message ----- 
From: "Tino Wildenhain" <tino at wildenhain.de>
To: "Kevin Gill" <Kevin.Gill at newaddress.ie>
Cc: <zpt at zope.org>
Sent: Tuesday, February 01, 2005 9:31 PM
Subject: Re: [ZPT] How are you ZPT users securing your interfaces?


> Am Dienstag, den 01.02.2005, 20:19 +0000 schrieb Kevin Gill:
>> I know this has come up before, but I cannot see a solution to the 
>> problem
>> in the archives.
>>
>> I have a Zope application written using Page Templates (Presentation
>> Templates?) to interface to the user. I cannot see how to prevent a
>> malicious visitor from by-passing the Template and accessing the python
>> scripts and ZSQL methods behind it.
>>
>> In the DTML world I can use proxy roles to achieve this, but proxy roles
>> have been specifically and deliberately omitted from the Template
>> implementation in Zope. I cannot find any documentation describing why 
>> they
>> were omitted (I presume that they create other problems for the ZPT
>> developers), or how to secure your system using ZPT.
>>
>> I can think of the following options only (none are practical):
>>
>>     1. Use DTML for security
>>     2. Put a layer in python in front of the Presentation layer
>>     3. Ignore Security
>>
>> How are you ZPT users securing your interfaces?
>
> Just build a sane interface out of python scripts or product
> methods and secure them (by means of proxyroles and permissions
> as they fit) and dont worry if the user can access the same
> information with or without fancy HTML layer.
>
> Regards
> Tino
>

More information about the ZPT mailing list