On 5/23/07, David H <[EMAIL PROTECTED]> wrote:
I have a (zope 2.8.8-final) folder that gives users with the role
the following Permissions:

   . access contents
   . view
   - note: no webDav or FTP access is allowed

Playing around with wget and curl I find I can (with proper
authentication) download the "published" but not raw source of zpt and
python files available in the folder.

So, for example, the script "\folder\pyDate" returns '2007/05/23' not
its source, e.g.

# module: pyDate
from DateTime import DateTime
return DateTime().Date()

This is the behavior I want - as we have a requirement to keep source

I realize that source in Zope-Instance/Extensions is the most secure but
I'm interested in local script security.

I am not sure what your question is, you didn't state any. I am
guessing that you want to know if there is any way Authenticated could
get at the source anyway. The answer to that question is:
no, unless users have additional permissions they cannot see the
sourcecode of DTML and Python scripts.

Martijn Pieters
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to