Chris Beaven wrote at 2005-9-27 16:54 +1200:
I'm having a problem figuring out how to keep things secure while
allowing a proxied script to call a page template correctly.
/details/sendDetails
Python script that is publicly available, receives an email address and
sends that person thier details stored in the database.
The script has proxy rights of Administrator.
/admin/person/emaildetails.htm
Page template that is secured (admin folder is Administrator only for
view and access contents information).
The anonymous user is prompted for authentication.
It calls sendDetails?
... which in turn calls emaildetails.htm?
If I change emaildetails.htm to a simple test text file it works, the
problem seems to lie when the template tries to access any script from
the context.
In principle, it should have no problems to access scripts.
*HOWEVER* note that proxy roles are not passed to called objects.
Thus, emaildetails.htm does not run with proxy roles.
If it accesses objects from admin folder, then you will
get an Unauthorized.
A possible solution could be: let sendDetail access and process
all protected information and pass the results only (hopefully elementary
and therefor unrestricted) to the page template for formatting.
Let sendDetail then send the formatted message itself.
--
Dieter
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
