Re: [Zope] how to prevent URL access to an external method?

Tue, 28 Apr 2009 09:25:59 -0700 

What would you change on the security tab?  I still want my authenticated users 
to have access to the method as a call to it is made from unrestricted space 
(such as a page template), I just don't want them to call the method directly.



----- Original Message ----
From: Jaroslav Lukesh <luk...@seznam.cz>
To: zope@zope.org; Tres Seaver <tsea...@palladion.com>
Sent: Tuesday, April 28, 2009 8:50:29 AM
Subject: Re: [Zope] how to prevent URL access to an external method?

Why? It is more transparent and better way - use security tab.


----- Original Message ----- 
From: "Tres Seaver" <tsea...@palladion.com>


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Pedro LaWrench wrote:
>> I need to do something on the filesystem, which requires unrestricted
>> python, so I created an external method. The problem is that anyone
>> can call that directly via URL, so I added a permission check. Even
>> then, users with the sufficient permissions can call this via URL,
>> which I don't want them to do. I only want them to have access
>> indirectly from other pages (such as a page template that will pass
>> sane parameters). Is there anyway to do this?
> 
> Add a REQUEST argument to your function, defaulting to None.  The
> publisher will always pass the request in for that argument, while the
> other templates / scripts should not.  E.g.:
> 
> def doSomething(self, REQUEST=None):
>    """ Don't call me directly via a URL!!!
>    """
>    if REQUEST is not None:
>        raise ValueError('Wicked, evil, naughty Zoot!')

_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )



      
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to