-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27 Sep 2007, at 12:19, Charlie Clark wrote:

Hi,

how do I control access to a PythonScript that should only be available as an action? I've setup the action for the site and given it a permission but this seems only to affect it's visibility for users.

ie. I have a script manage_wombats and configured action for it with the Permission "Manage portal". It is listed as an action only for managers but is globally available as a URL.

If you have a script somewhere in the skins or in your site it will *always* be available for people who call it up directly by URL. There is no builtin mechanism in Zope or the CMF to control that. You could do some "manual" checking inside the script to make sure the calling user has the right permissions or the script is not called by direct URL traversal.

jens



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFG+4i7RAx5nvEhZLIRAt1WAJwNh6gRJUtBRWRr+YiOQPsS3/30tQCdFMY0
ZOCbsqK3aHm2+meX7uc3hKA=
=AYPK
-----END PGP SIGNATURE-----
_______________________________________________
Zope-CMF maillist  -  Zope-CMF@lists.zope.org
http://mail.zope.org/mailman/listinfo/zope-cmf

See http://collector.zope.org/CMF for bug reports and feature requests

Reply via email to