[Zope-dev] Preventing scripts from being called directly
Dario Lopez-Kästen
dario at ita.chalmers.se
Mon Aug 23 09:10:39 EDT 2004
Chris Withers wrote:
> Dario Lopez-Kästen wrote:
>
>>
>> I am trying to prevent PythonScripts from being called directly TTW.
>
>
> Why?
because the scripts i use in conjunction with SUF and that return person
information are callable as http://server/acl_users/scriptname.
And the SUF API demands that the scripts accept a parameter that then
can easily be supplied in the url. If all this is done, then I can
obtain info about users that way. Not good.
>> Is there a better way of doing this than the following code being
>> called at the very begining of the script?
>>
>> if script.getPhysicalPath() =
>> context.REQUEST.PUBLISHED.getPhysicalPath():
>> raise "UnAuthorisedOrSimilar"
>
>
> Make the scripts only viewable by Manager, and give whatever calls them
> that role by Proxy.
hm... right... that'd require even more customisation polocy of my Plone
site than what is there now...
I think i'll use the above code until I have time to fix the role/proxy
assinging programatically.
BTW, will SUF have support for FS-based scripts in the future?
/dario
--
-- -------------------------------------------------------------------
Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech.
More information about the Zope-Dev
mailing list