[Zope] set permission dependig from domain

Marcus Bergmann zope@zope.org
Thu, 28 Feb 2002 18:25:21 +0100


Joel Burton wrote:
> 
> On Thu, 28 Feb 2002, Marcus Bergmann wrote:
> 
> > Hello,
> >
> > is it possible to set permissions, e.g. 'view', depending from the
> > surfers domain? I need to protect files and folders from viewing by
> > surfers outside our domains. I dont want a login screen!
> 
> Haven't tried this, but would it work to:
> 
> in outer folder, create user "bob" with low privileges (ie can't view
> documents in question)
> 
> in inner folder, create user "bob" with same password and higher
> privileges (ie can view docs in question) __and__ with restricted domain
> list
> 
> when zope goes to show bob the content, it would fail with the inner bob
> if he's not from the right domain and fall back on the outer bob who lacks
> the right privileges.
> 
> Not sure if it would do this, though: it might not bubble up to the next
> bob. If it sounds interesting, check & see & let us know.

I dont want to do this beacause I dont want to force the users to login.
I want Zope to check the domain, the user comes from and either to allow
or deny access. No problem with DTML-Documents or -Methods. There I can
query the REMOTE_HOST. But if I publish files, there is no way to run a
script, is it?

> 
> -*-
> 
> if this doesn't work, something more programmatic, like a SetAccessRule
> python script in the folder in question would work. This would compare the
> requester's domain and could raise an exception. It's not nice, clean
> declaration security like above, but, hey, it would get the job done.

Ok, I could write such a script, but how do I run the script when the
user acesses the contents of the folder? Lets say the user directly
calls http://mydomain/myfolder/myfile.pdf.

> 
> -*-
> 
> btw: if you're using a different webserver (eg apache) as the front end,
> you might not be getting the real browser IP address proxied to you; you
> might be getting the IP address of your apache box. Search the list for
> messages about this for workarounds.
> 

No problem, our Apache let the REMOTE_HOST name pass.

> --
> 
> Joel BURTON  |  joel@joelburton.com  |  joelburton.com  |  aim: wjoelburton
> Independent Knowledge Management Consultant

In my view the missing of the possibility to deny/allow access to
objects in Zope is a missing feature. You can do it easy with Apache,
why not with Zope?

Thanks,
Marcus