Ferhat Ayaz wrote at 2006-9-11 01:05 -0700:
>I want to restrict access to a subfolder:
>Folder structure:
>Root Folder
> +- MySite
>      +- Admin
>Access limitation:
>My Site: Public for all
>Admin: Only with Basic Authentication
>My page templates under 'MySite' use Script (Python)
>calls from Admin folder like:
>index_html (in MySite):
><tal:contain define="user container/Admin/getUser">
> ...
>But 'getUser' should not be able for access from
>outside the application server.
>How can I do this? 

What you want is difficult to achieve (if I disregard, that (in some speaking)
no access to 'getUser' is possible "from outside" the application server --
all (Web access) will go through the application server).

The easiest solution would be to move the objects that should
be used from public code out of "Admin" and put it in a separate
folder, say "Admin_public". There is a product around that prevents
traversal from entering a folder. This way, you can prevent
that your "getUser" is used directly from the Web.
Do not ask me how this product is called -- I forgot and will not
search for you.

An alternative (to the product) would be a "SiteAccess" "AccessRule".
Be warned however, that such a rule can be disabled through special
url path segments. If not using "getUser" and friends is vital,
then you would need to change the "AccessRule" code to prevent
disabling by special urls.

And, as others already pointed out: you can use "proxy roles".
But, of course, many scripts might need to get such roles...

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to