[Zope] Hiding ZMI Pages

Cliff Ford Cliff.Ford at ed.ac.uk
Fri Nov 5 08:15:22 EST 2004

Just to add to these comments:

bruno modulix wrote:
> Thomas Rampelberg wrote:
>> Is there a way to keep users from being able to see any of the
>> management pages? 
> In the security tab, there's a 'View management screens'
>> For example, return a 404 error if someone tries to
>> go to http://zopesite/manage or http://zopesite/object/manage.
> If you run Zope behind Apache, you could take advantage of rewrite rules 
> and access control to hide 'manage' urls from requests on port 80 while 
> allowing'em on 8080 (or whatever port your Zope listen to).

You could do management through a secure shell:

ssh www.yoursite.com -L8080:localhost:8080

then use apache to allow only localhost:8080/manage requests to get to real
management urls.

>> In a similar vein, how would you go about keeping users from executing
>> python scripts or external methods by just typing in the path to that
>> object (http://zopesite/pythonscript) yet still let the pages that use
>> those methods to access them?
> It's in the fine manual, section "proxy roles".

Do you mean "Allow anonymous users to see a page that contains the 
output from a script, but deny the anonymous user the ability to call 
that script directly? In the FM it is not so obvious you do this:

1. Give the python script the View/Manager only permission, then

2. Call the script from a dtml document that has the Manager proxy role.

That at least stops the script from being called from the browser url 
box. I am not sure this would do any good. If hackers want to get at 
your script with fake data they could try calling your dtml document 
with their own parameters.


Sorry I seem to have stolen a thread - deleted original message.

More information about the Zope mailing list