[Zope] Re: restricting permissions for direct access only

Florent Guillaume fg at nuxeo.com
Tue Feb 14 11:18:56 EST 2006

Michael Shulman wrote:
> Hi,
> I am new to Zope, and so far I like it very much.  But I think I am
> confused about how security works, or is supposed to work.
> Specifically I want to know the following.
> Is there a way in Zope to restrict permissions for direct access only
> (i.e. calling an object through the web) but still allow indirect
> access (i.e. executing an object that was called by another object
> that was called through the web)?

Objects called by a URL have a REQUEST parameter. What I usually do is make 
the script accept an optional REQUEST=None, and if it's non-None then I 
raise Unauthorized.


   I have many Zope scripts but most
> of them are only auxiliary functions; only a few are designed to be
> accessed by a user through a URL.  I don't want users to be able to
> call my auxiliary scripts directly, only the ones that are designed to
> be "published."  But changing the security settings on the auxiliary
> scripts (e.g. removing "View" access from "Anonymous" role) prevents
> anonymous users from executing them even indirectly, so the public
> objects which depend on those auxiliary methods also stop working.
> Feel free to tell me that I am misunderstanding the way security
> works, or is supposed to work, in Zope, or that if this is something I
> need to do I am designing my site incorrectly from the point of view
> of Zope security (and if so, what is the correct way to design it?).
> Thanks!!
> Mike

Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com

More information about the Zope mailing list