Re: [Zope] Page Template security problem
Chris Beaven wrote at 2005-9-27 16:54 +1200: I'm having a problem figuring out how to keep things secure while allowing a proxied script to call a page template correctly. /details/sendDetails Python script that is publicly available, receives an email address and sends that person thier details stored in the database. The script has proxy rights of Administrator. /admin/person/emaildetails.htm Page template that is secured (admin folder is Administrator only for view and access contents information). The anonymous user is prompted for authentication. It calls sendDetails? ... which in turn calls emaildetails.htm? If I change emaildetails.htm to a simple test text file it works, the problem seems to lie when the template tries to access any script from the context. In principle, it should have no problems to access scripts. *HOWEVER* note that proxy roles are not passed to called objects. Thus, emaildetails.htm does not run with proxy roles. If it accesses objects from admin folder, then you will get an Unauthorized. A possible solution could be: let sendDetail access and process all protected information and pass the results only (hopefully elementary and therefor unrestricted) to the page template for formatting. Let sendDetail then send the formatted message itself. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Page Template security problem
I'm having a problem figuring out how to keep things secure while allowing a proxied script to call a page template correctly. /details/sendDetails Python script that is publicly available, receives an email address and sends that person thier details stored in the database. The script has proxy rights of Administrator. /admin/person/emaildetails.htm Page template that is secured (admin folder is Administrator only for view and access contents information). The anonymous user is prompted for authentication. If I change emaildetails.htm to a simple test text file it works, the problem seems to lie when the template tries to access any script from the context. I tried to give those scripts proxy rights too but that had no effect. Am I going about this the wrong way, is there something I missed, or am I just going to have to revert to rewriting the whole details.htm as DTML? ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Page Template security problem
--On 27. September 2005 16:54:05 +1200 Chris Beaven [EMAIL PROTECTED] wrote: The anonymous user is prompted for authentication. Install VerboseSecurity and look at the output of VS. -aj pgpZnDneG6HFd.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )