In my application built on top of Zope, there is a folder scripts/ which 
contains various python scripts. Some of these scrips invoke SQL methods and 
accept parameters.

The DTML method (outside the scripts/ folder) calls first scripts to set 
parameters and then scripts which invoke SQL methods passing correct 
parameters.

However, if users can call directly scripts with HTTP request to zope, they 
can pass any parameters they like. So, for security reasons it is important 
to deny "direct" access to scripts/ folder.

Also, manager should be able to normally manage this folder from ZMI.

I know this can be done by restricting View/Access Contents information 
privileges for folders/scripts to the specific role and then giving DTML 
methods proxy role. But, is there any other easier methods ?

I've tried using access_rule, but the is to allow ZMI to work. At the time 
when access_rule is called user is not authenticated, so I cannot 
check if the current user is manager on not.

If anybody has any ideas, I'll be gratefull,
Vladimir


_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to