[Zope] how to prevent URL access to an external method?

Pedro LaWrench pedrolawrench at yahoo.com
Tue Apr 28 11:27:21 EDT 2009

I like this idea.  Is this a standard approach in the Zope world?  Surely this is a relatively common problem...at least it seems to me that the intention of external methods is to provide support routines with unrestricted python that are never meant to be called directly by users.  Or are external methods the wrong way to do this?

----- Original Message ----
From: Jonathan (dev101) <dev101 at magma.ca>
To: Pedro LaWrench <pedrolawrench at yahoo.com>; zope at zope.org
Sent: Tuesday, April 28, 2009 8:08:03 AM
Subject: Re: [Zope] how to prevent URL access to an external method?

Within the ExternalMethod you could check the ACTUAL_URL variable (in REQUEST) and if the name of the external method is found you could redirect the user to a "you're a baaad user" page.


----- Original Message ----- From: "Pedro LaWrench" <pedrolawrench at yahoo.com>
To: <zope at zope.org>
Sent: Tuesday, April 28, 2009 11:04 AM
Subject: [Zope] how to prevent URL access to an external method?

I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?


Zope maillist  -  Zope at zope.org
**  No cross posts or HTML encoding!  **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-dev )


No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.238 / Virus Database: 270.12.6/2084 - Release Date: 04/28/09 06:15:00


More information about the Zope mailing list