[Zope] [Ann] Protecting DTML objects from Web-Access

Dieter Maurer zope@zope.org
Sat, 14 Apr 2001 17:36:43 +0200


Dear Zopistas,

Several times, I heard
the wish to protect objects from access through the Web
while they are otherwise (i.e. from DTML, Python Script, ...)
usable as normal. This requirement prevents using the "View"
permission as it covers both access from the Web and
internally.

We discussed earlier to split the View permission into
something like a "View" (in the sense of "View through the Web")
and "Use" (in the sense as use internally).

Recently, I suggested an incredible complex solution for hiding
doc strings.

Now, I found a really easy way to achieve the goal.
It is a hack, though. Splitting the "View" permission
would be much more explicit.

It goes like this:

  ZPublisher normally wants to call "index_html" (or whatever
  standard method handles the HTTP request) when it reaches
  the end of the URL during traversal.
  It can be prevented to do this, if either the object
  does not have (or acquire) the method or is has,
  but it is 'None'.

  As DTML objects, and probably many others (Python Scripts
  may use a different approach),
  do not want an acquired "index_html" to be called,
  they define "index_html = None".

  If a DTML object's "index_html" is set to something
  different (not 'None'), then this object is called
  by ZPublisher and not the DTML object.

  You can set any callable object. It may return
  a nice page telling the user that he exceeds his limits,
  raise an exception or set an error response status.

  Setting "index_html" to "None" again restores the old state.


The following trivial external method can set "index_html":

  def setIndex_html(obj, index_html):
    obj.index_html= index_html


Dieter