In my application built on top of Zope, there is a folder scripts/ which
contains various python scripts. Some of these scrips invoke SQL methods and
The DTML method (outside the scripts/ folder) calls first scripts to set
parameters and then scripts which invoke SQL methods passing correct
However, if users can call directly scripts with HTTP request to zope, they
can pass any parameters they like. So, for security reasons it is important
to deny "direct" access to scripts/ folder.
Also, manager should be able to normally manage this folder from ZMI.
I know this can be done by restricting View/Access Contents information
privileges for folders/scripts to the specific role and then giving DTML
methods proxy role. But, is there any other easier methods ?
I've tried using access_rule, but the is to allow ZMI to work. At the time
when access_rule is called user is not authenticated, so I cannot
check if the current user is manager on not.
If anybody has any ideas, I'll be gratefull,
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -