[Zope] RDBMS Applications and direct calling of script(python)and sql methods

Erik Myllymaki erik.myllymaki at aviawest.com
Thu Oct 9 18:54:21 EDT 2003


> On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
> >  Lets take simple example, assume that each user has
> > an id that is keyed to his 'stuff'. The zsql method
> > must be passed this id to access his stuff. This is
> > all fine and good, A script(python) method could
> > provide this to the zsql method behind the scenes
> > without any great issue. The problem comes in when the
> > user attempts to access this zsql method from via its
> > url. Going this route he could pretty easily supply
> > and arbitrary id and get access to information that he
> > shouldn't have.
> 
> Yes, that would be a problem... so don't do it that way.  :-)
> 
> Instead, have Zope provide you the name of the user from its
> authentication machinery.  That's *much* harder to spoof.
> 
> To get this, cook up a Python script called get_user and use this for
> the code:
> 
> ----
> from AccessControl import getSecurityManager
> return getSecurityManager().getUser().getUserName()
> ----
> 
> Now include a call to get_user() when you need to pass in the username
> as a parameter to your query.


Any reason why you shouldn't just use  <dtml-var AUTHENTICATED_USER>
as a parameter to your SQL query?

just curious...



More information about the Zope mailing list