[ZPT] How are you ZPT users securing your interfaces?
Dieter Maurer
dieter at handshake.de
Wed Feb 2 16:32:42 EST 2005
Kevin Gill wrote at 2005-2-1 20:19 -0000:
> ...
>I have a Zope application written using Page Templates (Presentation
>Templates?) to interface to the user. I cannot see how to prevent a
>malicious visitor from by-passing the Template and accessing the python
>scripts and ZSQL methods behind it.
I posted a really long time ago an External Method
that allows you to give any object an "index_html" method.
If an object has a (non "None") "index_html" method, then
ZPublisher will call it.
Effectively, you can control in this way, how the object
behaves when called via the Web.
With an appropriate "index_html" you can prevent such calls.
Another option is to use a special folder that restricts
(URL-) traversal through it. I think, there is a product
for this (newer used it though).
I agree that all these approaches are work arounds only.
Zope should have a special permission (say "URL callable")
to control whether a object can be called via the Web.
But, it does not do ...
--
Dieter
More information about the ZPT
mailing list