Re: [Zope] Anonymous security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian Sullivan wrote: > Yeah -- I rediscovered Proxy roles and that seems like the most > straightforward strategy -- not sure if there counter indicators > though that would make that strategy problematic. Weird question - nobody knows about the code that you intend to write. If you are granting elevated rights to anonymous users one must be very careful... - -aj -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGUBAEBAgAGBQJNDbboAAoJEADcfz7u4AZjCqELwMi4OtDJIWCmuSslPwVFfnTL wYjrs7T+JSinAqQYGggsdFL+UzbP2Ai9JBoae3S0RUDhfh1mIKFCgUYNdgcc0QhG GDQp5GUmDAQorTOnbLPiH5YWuGT8FN32rzy6co/8rZ5XQITQtYbtMyMxdiw5Mg8v nPsS2TwgPVrWoA6F479cBVyzBaBbgnsQ0Wb/WdY44Y8xMGjqXRltgGw5WFuvHUl4 oGBnraHmzKISKAGLumwIz+94ackYjqtGmJLVe7UF+I5LniAm6LrRDw04lnOgAh2g LDto2xdkynfhhZ5hOHVPJBa1nQoUSw2ipFZ+sVx9xlifKfycikp4dZukYhU/xeMr tYdYhZbOg1WicyRb55PYe2ZKZylLwc+1mXdC2FMnPVbUdUV8CCFeP28AFG8Hfk75 YAeDmgwnThQhRvmL1Yvpeq0s18aofd04+Iah1yOSb0GZbBYUw99m+3QBXDYK0Z0G s453ciFfFzGTswHFU36VMa+JFfitNP0= =zRub -END PGP SIGNATURE- <>___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Anonymous security
Yeah -- I rediscovered Proxy roles and that seems like the most straightforward strategy -- not sure if there counter indicators though that would make that strategy problematic. On Sat, Dec 18, 2010 at 10:42 AM, Bart Jansen wrote: > Hi all, > > When I face a situation like Brian describes I am used to using Proxy > roles on the publicly available script to give it permission to do the > restricted actions. Is that a good approach or should I not use this? > > One of the difficulties when using Proxy roles is that they do not > propagate to the scripts/methods being called by the script that has the > Proxy roles set. > > Regards, Bart > > PS. I'm new on the mailing list. My name is Bart Jansen and in my spare > time I manage a couple of Zope2 sites for non-profit student sports > clubs in the Netherlands. > > Op 18-12-2010 8:10, Andreas Jung schreef: >> http://collective-docs.plone.org/security/permissions.html#bypassing-permission-checks >> >> (works only from trusted code like browser views or package code - not >> from PythonScripts) >> >> -aj >> >> Brian Sullivan wrote: >>> I am looking at a situation (an online self registry process) where I >>> want to allow a user that is not logged in to be able to create a user >>> and do a number of other functions normally reserved for and >>> restricted to logged in users with a fairly elevated rights. I need to >>> perform these functions from a Python script. >> >>> What is the best strategy for doing this? I am thinking that creating >>> a separate python script that has elevated rights and allowing >>> Anonymous access to it and calling it from a script that does not have >>> elevated rights is the best strategy to manage it. Am I creating a >>> huge security hole by doing this? >>> ___ >>> Zope maillist - z...@zope.org >>> https://mail.zope.org/mailman/listinfo/zope >>> ** No cross posts or HTML encoding! ** >>> (Related lists - >>> https://mail.zope.org/mailman/listinfo/zope-announce >>> https://mail.zope.org/mailman/listinfo/zope-dev ) >> >> > > ___ > Zope maillist - z...@zope.org > https://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope-dev ) > > ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Anonymous security
Hi all, When I face a situation like Brian describes I am used to using Proxy roles on the publicly available script to give it permission to do the restricted actions. Is that a good approach or should I not use this? One of the difficulties when using Proxy roles is that they do not propagate to the scripts/methods being called by the script that has the Proxy roles set. Regards, Bart PS. I'm new on the mailing list. My name is Bart Jansen and in my spare time I manage a couple of Zope2 sites for non-profit student sports clubs in the Netherlands. Op 18-12-2010 8:10, Andreas Jung schreef: > http://collective-docs.plone.org/security/permissions.html#bypassing-permission-checks > > (works only from trusted code like browser views or package code - not > from PythonScripts) > > -aj > > Brian Sullivan wrote: >> I am looking at a situation (an online self registry process) where I >> want to allow a user that is not logged in to be able to create a user >> and do a number of other functions normally reserved for and >> restricted to logged in users with a fairly elevated rights. I need to >> perform these functions from a Python script. > >> What is the best strategy for doing this? I am thinking that creating >> a separate python script that has elevated rights and allowing >> Anonymous access to it and calling it from a script that does not have >> elevated rights is the best strategy to manage it. Am I creating a >> huge security hole by doing this? >> ___ >> Zope maillist - Zope@zope.org >> https://mail.zope.org/mailman/listinfo/zope >> ** No cross posts or HTML encoding! ** >> (Related lists - >> https://mail.zope.org/mailman/listinfo/zope-announce >> https://mail.zope.org/mailman/listinfo/zope-dev ) > > ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) signature.asc Description: OpenPGP digital signature ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Anonymous security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://collective-docs.plone.org/security/permissions.html#bypassing-permission-checks (works only from trusted code like browser views or package code - not from PythonScripts) - -aj Brian Sullivan wrote: > I am looking at a situation (an online self registry process) where I > want to allow a user that is not logged in to be able to create a user > and do a number of other functions normally reserved for and > restricted to logged in users with a fairly elevated rights. I need to > perform these functions from a Python script. > > What is the best strategy for doing this? I am thinking that creating > a separate python script that has elevated rights and allowing > Anonymous access to it and calling it from a script that does not have > elevated rights is the best strategy to manage it. Am I creating a > huge security hole by doing this? > ___ > Zope maillist - Zope@zope.org > https://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope-dev ) - -- ZOPYX Limited | zopyx group Charlottenstr. 37/1 | The full-service network for Zope & Plone D-72070 Tübingen| Produce & Publish www.zopyx.com | www.produce-and-publish.com - E-Publishing, Python, Zope & Plone development, Consulting -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGUBAEBAgAGBQJNDF54AAoJEADcfz7u4AZjP3ALv3Wf/qV13mgyzFz3Stm81tYg PMe2v/mj2eYfLFXuPR4LhTnickMfRJJNdD/LYwOdK6GLgvh307GkM/0mrCrpeHoO pIizuTuYhsl5ITdaUF3R+VcHlRmIZsNrYIEummmNAQjMW0hLA3XEefv9KvlV+P53 q6rzHq4n9T4JkKBh/QX0KiMVZOHeRjV1AnC3hXyqhbZCd8/pCgJDVsecbEBWlFrj izDhb6q+THHsjzRTbKzljnXJw8/he8TeCbN8cmjrlAVW5UhO/AIRQ2ikPh2GybAl pUSRuHux78+WRaw4av1WG+XBWVS1uZNmJnsNFPNr8NY7OE7hvSBttZTVzWmf9VyT jHWkpNKRROd83mpfZuHh3m9Ei6v5AvCFzr5Lt1O/M4bH4Rki8aqRqyzDy9fYEIW1 +CAhxUN511v2zSmcpmLClhkErZQP3qp0uXi+TIAj+/tbrXs8I7/fOlo/VWXMzxNy XM85seHdMYlWgsRbX/sVJKn5NOpqLsk= =UTd0 -END PGP SIGNATURE- <>___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Anonymous security
I am looking at a situation (an online self registry process) where I want to allow a user that is not logged in to be able to create a user and do a number of other functions normally reserved for and restricted to logged in users with a fairly elevated rights. I need to perform these functions from a Python script. What is the best strategy for doing this? I am thinking that creating a separate python script that has elevated rights and allowing Anonymous access to it and calling it from a script that does not have elevated rights is the best strategy to manage it. Am I creating a huge security hole by doing this? ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )