Hash: SHA1

Phani Kumar Arava wrote:
> Hi,
> Iam trying to use Zope as an App server (basically to provide an XML-RPC
> interface) for a certain application .
> I have a function called addFile in the External Method.
> def ext_addfile(self):
>         ob=self.Files
>         ob.manage_addFile("hello","hello")
> I created an external method call ext_addFile()
> Now I write my client using xml-rpc lib
> s=xmlrpclib.Server("<hostname>")
> s.ext_addFile()
> And this adds a file to my directory. This freaked me out. Because i was
> anonymous user and this shdnt happen. The next thing i did was create a
> python script of the same structure and called it addFile()
> ob=context.Files
> ob.manage_addFile("hello","hello")
> Now I run my  client xml-rpc program
> s=xmlrpclib.Server("<hostname>")
> s.addFile()
> and its fiving me unauthorized as expected.
> So basically i dont know why is this happening. Is this due to some
> permission problems i have on the directory or External Methods, or
> something which iam totally missing.

By design, ExternalMethods run as "trusted" code -- if a user has "View"
permission on the EM object, then its code will run, without performing
the security checks done by "untrusted" PythonScript objects.  You need
either to protect the EM object itself (removing the "View" permission
on that object should be enough), or else do the security check within
the EM code itself.  E.g.::

  from AccessControl import getSecurityManager, Unauthorized
  from AccessControl.Permissions import add_documents_images_and_files
  sm = getSecurityManager()
  if not sm.checkPermission(add_documents_images_and_files, self):
     raise Unauthorized("Can't add files here!")

- --
Tres Seaver          +1 540-429-0999          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to