[Zope] Page Template security problem
Dieter Maurer
dieter at handshake.de
Tue Sep 27 13:45:45 EDT 2005
Chris Beaven wrote at 2005-9-27 16:54 +1200:
>I'm having a problem figuring out how to keep things secure while
>allowing a proxied script to call a page template correctly.
>
>/details/sendDetails
>Python script that is publicly available, receives an email address and
>sends that person thier details stored in the database.
>The script has proxy rights of "Administrator".
>
>/admin/person/emaildetails.htm
>Page template that is secured (admin folder is Administrator only for
>"view" and "access contents information").
>
>
>The anonymous user is prompted for authentication.
It calls "sendDetails"?
... which in turn calls "emaildetails.htm"?
>If I change emaildetails.htm to a simple "test" text file it works, the
>problem seems to lie when the template tries to access any script from
>the context.
In principle, it should have no problems to access scripts.
*HOWEVER* note that proxy roles are not passed to called objects.
Thus, "emaildetails.htm" does not run with proxy roles.
If it accesses objects from "admin folder", then you will
get an "Unauthorized".
A possible solution could be: let "sendDetail" access and process
all protected information and pass the results only (hopefully elementary
and therefor unrestricted) to the page template for formatting.
Let "sendDetail" then send the formatted message itself.
--
Dieter
More information about the Zope
mailing list