[Zope] Preventing files from being viewed by web clients

Lennart Regebro regebro at gmail.com
Mon May 8 14:31:24 EDT 2006


On 5/8/06, Brian <brian at texnet.com> wrote:
> I have a flash app that accesses .xml files.
>
> The source is viewable and some creative crackers have figured out how to
> meld a url together to get vital information from those .xml's.
>
> I need to prevent the web client from directly accessing them.
>
> Is there a directive (such as Apache's) or mechnisim to keep web clients
> from accessing yet allow my app access these files?
>
> Somthing like
>
> <FilesMatch \.(?i:gif|jpe?g|xml)$>
>    Order allow,deny
>    Allow from <some file name>
>    Deny from all
>    <some other web trick>
> </FilesMatch>
>
> in zope.conf or ???

Zopes security is based on being authenticated, so no. What you can do
it let the Flash app login as a special user, and make the files only
accessible to that user. To prevent people from sneaking the password
from the IP-traffic, you also need to use SSL from the Flash app.

--
Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/


More information about the Zope mailing list