[Zope] how to prevent URL access to an external method?

Pedro LaWrench pedrolawrench at yahoo.com
Tue Apr 28 11:42:10 EDT 2009

Excellent.  Thank you all for the suggests.

----- Original Message ----
From: Tres Seaver <tseaver at palladion.com>
To: zope at zope.org
Sent: Tuesday, April 28, 2009 8:38:18 AM
Subject: Re: [Zope] how to prevent URL access to an external method?

Hash: SHA1

Pedro LaWrench wrote:
> I need to do something on the filesystem, which requires unrestricted
> python, so I created an external method. The problem is that anyone
> can call that directly via URL, so I added a permission check. Even
> then, users with the sufficient permissions can call this via URL,
> which I don't want them to do. I only want them to have access
> indirectly from other pages (such as a page template that will pass
> sane parameters). Is there anyway to do this?

Add a REQUEST argument to your function, defaulting to None.  The
publisher will always pass the request in for that argument, while the
other templates / scripts should not.  E.g.:

def doSomething(self, REQUEST=None):
    """ Don't call me directly via a URL!!!
    if REQUEST is not None:
        raise ValueError('Wicked, evil, naughty Zoot!')

- --
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software  "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Zope maillist  -  Zope at zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-dev )


More information about the Zope mailing list