Re: [Zope] Security for objects being called
Thibaud Morel l'Horset wrote at 2008-9-15 19:44 -0400: > I'm trying to figure out how to prevent certain zope objects from being >called directly but allow them to be called from another object. > > Here is an example: > You have a ZPT page, let's originally call it 'test' > test calls a Script(Python) 'script' Your options: * check in "script" that is was not called directly via the Web. You can do this by checking against "REQUEST['PUBLISHED']". * give your "script" a non-"None" "index_html" attribute Then, this "index_html" is called when accessed from the Web; otherwise, the "script"s "__call__" is called. * give your "script" and its "__call__" method an empty docstring. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Security for objects being called
On Tue, Sep 16, 2008 at 08:55:33AM -0400, Thibaud Morel l'Horset wrote: > Thanks for the response Paul. I don't see a Proxy tab on Page Templates > though, only DTML methods: do I need to install an additional product for > that? or is it configured somewhere else for Templates? Oops, right you are. Templates don't have proxy roles. One obvious workaround: Add a dtml method that consists only of . Make this dtml method anonymously viewable, and give it a proxy role of Authenticated. Then make your real template, and the script it calls, both viewable only by Authenticated. -- Paul Winkler http://www.slinkp.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Security for objects being called
Thanks for the response Paul. I don't see a Proxy tab on Page Templates though, only DTML methods: do I need to install an additional product for that? or is it configured somewhere else for Templates? On Tue, Sep 16, 2008 at 7:48 AM, Paul Winkler <[EMAIL PROTECTED]> wrote: > On Mon, Sep 15, 2008 at 07:44:58PM -0400, Thibaud Morel l'Horset wrote: > > Hello all, > > > > I'm trying to figure out how to prevent certain zope objects from being > > called directly but allow them to be called from another object. > > > > Here is an example: > > You have a ZPT page, let's originally call it 'test' > > test calls a Script(Python) 'script' > > > > I want any anonymous user to be able to call 'test' from the web but > not > > 'script'. However, I want 'test' to call 'script' and render the contents > of > > 'script' to anonymous users through 'test'. I tested this out by making > the > > 'script' View permission only available for Authenticated users, and as > > anonymous I can neither hit 'test' nor 'script'. > > > > Based on my understanding of the Zope security framework I don't think > > this is possible... hopefully someone can tell me I'm wrong though and > show > > me how to do it :) > > http://plope.com/Books/2_7Edition/Security.stx#2-62 > > > -- > > Paul Winkler > http://www.slinkp.com > ___ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) > ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Security for objects being called
On Mon, Sep 15, 2008 at 07:44:58PM -0400, Thibaud Morel l'Horset wrote: > Hello all, > > I'm trying to figure out how to prevent certain zope objects from being > called directly but allow them to be called from another object. > > Here is an example: > You have a ZPT page, let's originally call it 'test' > test calls a Script(Python) 'script' > > I want any anonymous user to be able to call 'test' from the web but not > 'script'. However, I want 'test' to call 'script' and render the contents of > 'script' to anonymous users through 'test'. I tested this out by making the > 'script' View permission only available for Authenticated users, and as > anonymous I can neither hit 'test' nor 'script'. > > Based on my understanding of the Zope security framework I don't think > this is possible... hopefully someone can tell me I'm wrong though and show > me how to do it :) http://plope.com/Books/2_7Edition/Security.stx#2-62 -- Paul Winkler http://www.slinkp.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )