-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Phani Kumar Arava wrote: > Hi, > Iam trying to use Zope as an App server (basically to provide an XML-RPC > interface) for a certain application . > > I have a function called addFile in the External Method. > > def ext_addfile(self): > ob=self.Files > ob.manage_addFile("hello","hello") > > I created an external method call ext_addFile() > > Now I write my client using xml-rpc lib > > s=xmlrpclib.Server("<hostname>") > s.ext_addFile() > > And this adds a file to my directory. This freaked me out. Because i was > anonymous user and this shdnt happen. The next thing i did was create a > python script of the same structure and called it addFile() > > ob=context.Files > ob.manage_addFile("hello","hello") > > Now I run my client xml-rpc program > s=xmlrpclib.Server("<hostname>") > s.addFile() > > and its fiving me unauthorized as expected. > > So basically i dont know why is this happening. Is this due to some > permission problems i have on the directory or External Methods, or > something which iam totally missing.
By design, ExternalMethods run as "trusted" code -- if a user has "View" permission on the EM object, then its code will run, without performing the security checks done by "untrusted" PythonScript objects. You need either to protect the EM object itself (removing the "View" permission on that object should be enough), or else do the security check within the EM code itself. E.g.:: from AccessControl import getSecurityManager, Unauthorized from AccessControl.Permissions import add_documents_images_and_files sm = getSecurityManager() if not sm.checkPermission(add_documents_images_and_files, self): raise Unauthorized("Can't add files here!") Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 [EMAIL PROTECTED] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v220.127.116.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFpE+7+gerLs4ltQ4RAqS7AKCyr38A61sxIl4PvxdF5XYUcSVv3QCfb80T NeXVyp3fpSX0K6XpHeBlVZg= =jDHJ -----END PGP SIGNATURE----- _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )