[Zope] how to prevent URL access to an external method?
garito at sistes.net
Tue Apr 28 12:20:07 EDT 2009
In my opinion Tres's way is the correct one for this case
Why? Because the original must be is to run the script only for internal
The main diference between an internal call and a user one is the REQUEST
parameter and then the Tres's solution seems the more convenient way
It's only my opinion
2009/4/28 Jaroslav Lukesh <lukesh at seznam.cz>
> Why? It is more transparent and better way - use security tab.
> ----- Original Message -----
> From: "Tres Seaver" <tseaver at palladion.com>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > Pedro LaWrench wrote:
> >> I need to do something on the filesystem, which requires unrestricted
> >> python, so I created an external method. The problem is that anyone
> >> can call that directly via URL, so I added a permission check. Even
> >> then, users with the sufficient permissions can call this via URL,
> >> which I don't want them to do. I only want them to have access
> >> indirectly from other pages (such as a page template that will pass
> >> sane parameters). Is there anyway to do this?
> > Add a REQUEST argument to your function, defaulting to None. The
> > publisher will always pass the request in for that argument, while the
> > other templates / scripts should not. E.g.:
> > def doSomething(self, REQUEST=None):
> > """ Don't call me directly via a URL!!!
> > """
> > if REQUEST is not None:
> > raise ValueError('Wicked, evil, naughty Zoot!')
> Zope maillist - Zope at zope.org
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-dev )
Zope Smart Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Zope