I will add the URL test. In addition, I will pass a long symettric 64 bit key to the external method as a parameter, and require the external method to confirm that the correct key was passed. Since only I have access to my file system and to my ZMI this is sufficient.
Extraneously, I would like to say how excited I am about the willingness of Zopistas to respond to questions from an ordinary user like me. Everyone talks about the buzzword frameworks Django and RoR. But the most important factor for a user ought to be the ability to get support online. On this point I don't see how Zope could be much better, as long as we ordinary users don't abuse it. Zope Corporation is opening an office in Northern Virginia, and that says to me that the commercial Zope community is growing. If I apply myself then maybe in a few years I would be part of it myself. Just my two shekels. -----Original Message----- From: Jonathan [mailto:[EMAIL PROTECTED] Sent: Friday, January 26, 2007 2:30 PM To: Mark, Jonathan (Integic); email@example.com Subject: Re: [Zope] Is there any way to turn off the publishing of externalmethods to the web in Zope? ----- Original Message ----- From: "Mark, Jonathan (Integic)" <[EMAIL PROTECTED]> To: "Jonathan" <[EMAIL PROTECTED]>; <firstname.lastname@example.org> Sent: Friday, January 26, 2007 2:32 PM Subject: RE: [Zope] Is there any way to turn off the publishing of externalmethods to the web in Zope? > Using a proxy role on the calling Python Script worked. My guess is that a > clever hacker could call the Python Script continually and then create a > race condition that would permit him to call the External Method directly > in a URL, thus passing the External Method his own malicious parameters. That's why i suggested, in an earlier response, a URL test within the external method. Jonathan _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )