[Zope] RDBMS Applications and direct calling of script(python) and sql methods

Dylan Reinhardt zope at dylanreinhardt.com
Thu Oct 9 18:31:21 EDT 2003

On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
>  Lets take simple example, assume that each user has
> an id that is keyed to his 'stuff'. The zsql method
> must be passed this id to access his stuff. This is
> all fine and good, A script(python) method could
> provide this to the zsql method behind the scenes
> without any great issue. The problem comes in when the
> user attempts to access this zsql method from via its
> url. Going this route he could pretty easily supply
> and arbitrary id and get access to information that he
> shouldn't have.

Yes, that would be a problem... so don't do it that way.  :-)

Instead, have Zope provide you the name of the user from its
authentication machinery.  That's *much* harder to spoof.

To get this, cook up a Python script called get_user and use this for
the code:

from AccessControl import getSecurityManager
return getSecurityManager().getUser().getUserName()

Now include a call to get_user() when you need to pass in the username
as a parameter to your query.



More information about the Zope mailing list