[Zope] Scripts run as least privileged user necessary?

Chris Withers chrisw at nipltd.com
Thu Sep 4 10:54:26 EDT 2003


Ken Causey wrote:
> It is a precondition script whose goal is to try to prevent access to an
> image unless you are viewing it embedded within a page of my site.  

A simpler solution is just to look at your logs every now and then and bitch at 
people who are hijacking images ;-)

> The
> closest I've been able to come to this goal is to add a value to the
> session within the page and check in the precondition script for the
> image that the value is defined.  Although not ideal this works
> sufficiently.

I think that's about as good as it'll get, HTTP and HTML are not designed to do 
what you want them to...

> Where I'm running into the problem I described above is that I wanted to
> exempt managers from the check for the session variable.  The obvious
> way to do that seemed to be to check the role of the user.

Indeed, but that's a nigh-on impossible task given the way HTTP and HTML work 
together...

> I welcome any alternatives you can suggest.

Hmmm, why do you care so much about these images being hijacked?

cheers,

Chris




More information about the Zope mailing list