-----BEGIN PGP SIGNED MESSAGE-----
On 27 Sep 2007, at 12:19, Charlie Clark wrote:
how do I control access to a PythonScript that should only be
available as an action? I've setup the action for the site and
given it a permission but this seems only to affect it's visibility
ie. I have a script manage_wombats and configured action for it
with the Permission "Manage portal". It is listed as an action only
for managers but is globally available as a URL.
If you have a script somewhere in the skins or in your site it will
*always* be available for people who call it up directly by URL.
There is no builtin mechanism in Zope or the CMF to control that. You
could do some "manual" checking inside the script to make sure the
calling user has the right permissions or the script is not called by
direct URL traversal.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
-----END PGP SIGNATURE-----
Zope-CMF maillist - Zope-CMF@lists.zope.org
See http://collector.zope.org/CMF for bug reports and feature requests