[Zope] Re: Re: [Security] How to encrypt a Zope oid ?

J Cameron Cooper jccooper at jcameroncooper.com
Mon Sep 15 22:59:33 EDT 2003 

>>It's not a question of English or French...
>>
>>The final user's browser needs to understand the final URL, doesn't it?
>>That limits your ability to conceal or encrypt the URL...
>>    
>>
>OK, but with Zope, you can build a application controller who call decode
>parameters and call the real zope object. Or a simple page page controller
>who encrypt his parameters :
>
>Example : a document has url :
> $ZOPE/.../document_manager/document_37.
>
>I wish the displayed url looks like :
>$ZOPE/.../document_manager?document=k2316fge54dsgb51v3vsdv4
>
>That is the document_manager who translates an unreadable parameter to
>document real url.
>
>What I want to avoid is somebody trying to access manually to document_38,
>document_39, etc., just to add more security...
>  
>
Okay, that makes some sense. But seems to me that the most reasonable 
answer is to not provide the objects with sequential names in the first 
place. Since no one will see them like that, who cares?

But: presuming that you need the real objects named exactly like that 
for some reason, there are several approaches you could take:

give everything you want accessed a property that is arbitary. Write a 
simple Python script to fetch the object (document_manager) with the 
property matching the number provided by the URL (document). An 
optimization of this is to store a single dictionary with 
fake_name:real_name scheme. The generation of the fake_names could be 
manual or automatic, depending on scale and need.

provide a folder not publically accessible and in your public folder, 
create objects that point to the real ones, but give them arbitary 
names. You could use PortableHole, Python scripts (return private.doc1), 
or any number of products you might find on Zope.org. The good thing 
here is that everything still works like Zope objects (you can use 
objectItems instead of having to get the list out of a dictionary.)

I'm sure there are other clever methods to do this.

          --jcc

-- 
"My point and period will be throughly wrought,
Or well or ill, as this day's battle's fought."

More information about the Zope mailing list