[Zope] Re: restricting permissions for direct access only
fg at nuxeo.com
Tue Feb 14 11:18:56 EST 2006
Michael Shulman wrote:
> I am new to Zope, and so far I like it very much. But I think I am
> confused about how security works, or is supposed to work.
> Specifically I want to know the following.
> Is there a way in Zope to restrict permissions for direct access only
> (i.e. calling an object through the web) but still allow indirect
> access (i.e. executing an object that was called by another object
> that was called through the web)?
Objects called by a URL have a REQUEST parameter. What I usually do is make
the script accept an optional REQUEST=None, and if it's non-None then I
I have many Zope scripts but most
> of them are only auxiliary functions; only a few are designed to be
> accessed by a user through a URL. I don't want users to be able to
> call my auxiliary scripts directly, only the ones that are designed to
> be "published." But changing the security settings on the auxiliary
> scripts (e.g. removing "View" access from "Anonymous" role) prevents
> anonymous users from executing them even indirectly, so the public
> objects which depend on those auxiliary methods also stop working.
> Feel free to tell me that I am misunderstanding the way security
> works, or is supposed to work, in Zope, or that if this is something I
> need to do I am designing my site incorrectly from the point of view
> of Zope security (and if so, what is the correct way to design it?).
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope