[Zope] protecting users from hostile authors

[Kyler B. Laird]

O.k., I've been mulling over the topic of
protecting users from lots of potentially
hostile authors.  I've got some ideas
that could go a little way toward solving
the problem.

When writing a method that is going to do
something *really* privileged (like "drop
class"), there should be a second "Are
you sure you want to...?" step. 

In order to enforce the desired use of
this step, there must be a way to
determine that the method is being called
directly from the Zope Publisher(???) -
not through an intermediate method.  I
have worked with such problems extensively
under Apache, and the most secure solution
I developed was not pretty.  I'm hoping
for better in Zope.

Is there a good un-fakeable way in Zope
to determine the caller of a method?  I am
not willing to trust the things I would
initially consider for doing this (without
some assurances from more knowledgeable
people).

(Another piece that is required for the
"extra step" solution I mention is the
generation of some cryptographic key to
the second step.  I think I understand
how to do that.)

Some other things to consider...if you
have a "Referer" header, you could use it
to insure that the user got to your
method through the "proper" path.  Using
the "Accept" header *should* give a clue
if the request is coming as a result of a
tag like "img".  These are not dependable
solutions, though.  Some browsers do not
send the Referer, and MS browsers have a
long history of sending bogus Accept
values.  Also, frames could be used
instead of images for "invisible" calls.

--kyler