Re: [Zope-dev] Preventing scripts from being called directly

2004-08-25 Thread Dario Lopez-Kästen
Florent Guillaume wrote:
The way I do it is:
##parameters=foo, bar, ..., REQUEST=None
if REQUEST is not None:
raise 'Unauthorized', 'Not callable TTW'
I believe this is much better. I get function not accessible in 
restricted mode with my own solution.

Thanks,
/dario
--
-- ---
Dario Lopez-Kästen, IT Systems  Services Chalmers University of Tech.
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Preventing scripts from being called directly

2004-08-24 Thread Chris Withers
Dario Lopez-Kästen wrote:
because the scripts i use in conjunction with SUF and that return person 
information are callable as http://server/acl_users/scriptname.
Oh, well those can be totally unavailable to everyone.
It seems the security machinery is bypassed at that stage in the game ;-)
BTW, will SUF have support for FS-based scripts in the future?
It already does, see the section on subclass usage in the documentation 
and the tests...

Chris
--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Preventing scripts from being called directly

2004-08-24 Thread Florent Guillaume
In article [EMAIL PROTECTED] you write:
 Hello,
 
 I am trying to prevent PythonScripts from being called directly TTW.
 
 Is there a better way of doing this than the following code being called 
 at the very begining of the script?
 
 if script.getPhysicalPath() = context.REQUEST.PUBLISHED.getPhysicalPath():
raise UnAuthorisedOrSimilar

The way I do it is:

##parameters=foo, bar, ..., REQUEST=None

if REQUEST is not None:
raise 'Unauthorized', 'Not callable TTW'

...


Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 71 59  http://nuxeo.com  mailto:[EMAIL PROTECTED]
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Preventing scripts from being called directly

2004-08-23 Thread Chris Withers
Dario Lopez-Kästen wrote:
I am trying to prevent PythonScripts from being called directly TTW.
Why?
Is there a better way of doing this than the following code being called 
at the very begining of the script?

if script.getPhysicalPath() = context.REQUEST.PUBLISHED.getPhysicalPath():
  raise UnAuthorisedOrSimilar
Make the scripts only viewable by Manager, and give whatever calls them 
that role by Proxy.

Chris
--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Preventing scripts from being called directly

2004-08-23 Thread Dario Lopez-Kästen
Chris Withers wrote:
Dario Lopez-Kästen wrote:
I am trying to prevent PythonScripts from being called directly TTW.

Why?
because the scripts i use in conjunction with SUF and that return person 
information are callable as http://server/acl_users/scriptname.

And the SUF API demands that the scripts accept a parameter that then 
can easily be supplied in the url. If all this is done, then I can 
obtain info about users that way. Not good.


Is there a better way of doing this than the following code being 
called at the very begining of the script?

if script.getPhysicalPath() = 
context.REQUEST.PUBLISHED.getPhysicalPath():
  raise UnAuthorisedOrSimilar

Make the scripts only viewable by Manager, and give whatever calls them 
that role by Proxy.
hm... right... that'd require even more customisation polocy of my Plone 
site than what is there now...

I think i'll use the above code until I have time to fix the role/proxy 
assinging programatically.

BTW, will SUF have support for FS-based scripts in the future?
/dario
--
-- ---
Dario Lopez-Kästen, IT Systems  Services Chalmers University of Tech.
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )