Michael Shulman wrote:

I am new to Zope, and so far I like it very much.  But I think I am
confused about how security works, or is supposed to work.
Specifically I want to know the following.

Is there a way in Zope to restrict permissions for direct access only
(i.e. calling an object through the web) but still allow indirect
access (i.e. executing an object that was called by another object
that was called through the web)?

Objects called by a URL have a REQUEST parameter. What I usually do is make the script accept an optional REQUEST=None, and if it's non-None then I raise Unauthorized.


  I have many Zope scripts but most
of them are only auxiliary functions; only a few are designed to be
accessed by a user through a URL.  I don't want users to be able to
call my auxiliary scripts directly, only the ones that are designed to
be "published."  But changing the security settings on the auxiliary
scripts (e.g. removing "View" access from "Anonymous" role) prevents
anonymous users from executing them even indirectly, so the public
objects which depend on those auxiliary methods also stop working.

Feel free to tell me that I am misunderstanding the way security
works, or is supposed to work, in Zope, or that if this is something I
need to do I am designing my site incorrectly from the point of view
of Zope security (and if so, what is the correct way to design it?).


Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   [EMAIL PROTECTED]
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to