Chris Beaven wrote at 2005-9-27 16:54 +1200: >I'm having a problem figuring out how to keep things secure while >allowing a proxied script to call a page template correctly. > >/details/sendDetails >Python script that is publicly available, receives an email address and >sends that person thier details stored in the database. >The script has proxy rights of "Administrator". > >/admin/person/emaildetails.htm >Page template that is secured (admin folder is Administrator only for >"view" and "access contents information"). > > >The anonymous user is prompted for authentication.
It calls "sendDetails"? ... which in turn calls "emaildetails.htm"? >If I change emaildetails.htm to a simple "test" text file it works, the >problem seems to lie when the template tries to access any script from >the context. In principle, it should have no problems to access scripts. *HOWEVER* note that proxy roles are not passed to called objects. Thus, "emaildetails.htm" does not run with proxy roles. If it accesses objects from "admin folder", then you will get an "Unauthorized". A possible solution could be: let "sendDetail" access and process all protected information and pass the results only (hopefully elementary and therefor unrestricted) to the page template for formatting. Let "sendDetail" then send the formatted message itself. -- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )