[ZPT] How are you ZPT users securing your interfaces?
Kevin Gill
Kevin.Gill at newaddress.ie
Tue Feb 8 06:16:56 EST 2005
Hi Dieter,
Thanks for the response. You have clearly a lot of experience here.
Both of your options seem workable.
I have used a site access method to prevent traversal of certain folders as
you suggested below. I reject IP's other than my office IP address. This is
a good security measure, and is much simpler than working access rights down
through all the scripts, methods etc that I use (possibly laziness).
Kevin
----- Original Message -----
From: "Dieter Maurer" <dieter at handshake.de>
To: "Kevin Gill" <Kevin.Gill at newaddress.ie>
Cc: <zpt at zope.org>
Sent: Wednesday, February 02, 2005 9:32 PM
Subject: Re: [ZPT] How are you ZPT users securing your interfaces?
> Kevin Gill wrote at 2005-2-1 20:19 -0000:
>> ...
>>I have a Zope application written using Page Templates (Presentation
>>Templates?) to interface to the user. I cannot see how to prevent a
>>malicious visitor from by-passing the Template and accessing the python
>>scripts and ZSQL methods behind it.
>
> I posted a really long time ago an External Method
> that allows you to give any object an "index_html" method.
>
> If an object has a (non "None") "index_html" method, then
> ZPublisher will call it.
>
> Effectively, you can control in this way, how the object
> behaves when called via the Web.
> With an appropriate "index_html" you can prevent such calls.
>
>
> Another option is to use a special folder that restricts
> (URL-) traversal through it. I think, there is a product
> for this (newer used it though).
>
>
> I agree that all these approaches are work arounds only.
> Zope should have a special permission (say "URL callable")
> to control whether a object can be called via the Web.
> But, it does not do ...
>
>
> --
> Dieter
More information about the ZPT
mailing list