One way to do this is to peek at the HTTP_REFERER value coming from the 
browser before you serve the document. If the document is in a file object, 
then you can use a precondition for this, which is a callable object.

It could be written as follows in a python script:

request = context.REQUEST
if not request.HTTP_REFERER.startswith(request.SERVER_URL):
    raise 'NotFound'

If you make a script and then specify it for the preconditions of your files, 
then it would only allow downloads coming from another URL on your site. No 
direct URL or linking from outside would be allowed with a standard browser.

However, one could easily circumvent this by spoofing the HTTP_REFERER on the 
client. This would assume a certain level of sophistication on the part of 
the would be spoofer.

To make it a bit harder you could use sessions or cookies and validate those 
in your precondition instead. This would be harder to fool if you did it 


On Tuesday 12 November 2002 07:11 pm, General Info wrote:
> i have the following situation.
> i want the users to be able to download non html documents if that document 
is refered to from an html document. however, i dont want the users to be 
able to type the url and document name on the url box of their browers and be 
able to download it.
> for example:
> the documents exist in
> however, i dont want the users to type that url on their browser and access 
> i only want them to access it if that particular document is linked from an 
html document.
> i have seen some websites that do that w/ images. how can i do that on zope? 
is it possible? 
> i would appreciate any comments/suggesstions.
> -roberto

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to