[Zope] Hiding ZMI Pages
Cliff.Ford at ed.ac.uk
Fri Nov 5 08:15:22 EST 2004
Just to add to these comments:
bruno modulix wrote:
> Thomas Rampelberg wrote:
>> Is there a way to keep users from being able to see any of the
>> management pages?
> In the security tab, there's a 'View management screens'
>> For example, return a 404 error if someone tries to
>> go to http://zopesite/manage or http://zopesite/object/manage.
> If you run Zope behind Apache, you could take advantage of rewrite rules
> and access control to hide 'manage' urls from requests on port 80 while
> allowing'em on 8080 (or whatever port your Zope listen to).
You could do management through a secure shell:
ssh www.yoursite.com -L8080:localhost:8080
then use apache to allow only localhost:8080/manage requests to get to real
>> In a similar vein, how would you go about keeping users from executing
>> python scripts or external methods by just typing in the path to that
>> object (http://zopesite/pythonscript) yet still let the pages that use
>> those methods to access them?
> It's in the fine manual, section "proxy roles".
Do you mean "Allow anonymous users to see a page that contains the
output from a script, but deny the anonymous user the ability to call
that script directly? In the FM it is not so obvious you do this:
1. Give the python script the View/Manager only permission, then
2. Call the script from a dtml document that has the Manager proxy role.
That at least stops the script from being called from the browser url
box. I am not sure this would do any good. If hackers want to get at
your script with fake data they could try calling your dtml document
with their own parameters.
Sorry I seem to have stolen a thread - deleted original message.
More information about the Zope