[Zope] Idiom for accessing restricted capabilities

Andrew Athan zope_list_response@memeplex.com
Fri, 27 Dec 2002 10:35:54 -0500


This is a multi-part message in MIME format.

------=_NextPart_000_0035_01C2AD93.BF032F90
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

I do not believe this is enough for me (also, external methods do not
implement the proxy mechanism).
 
I need to have some degree of confidence that the invoker of the method
is not someone typing a URL at their browser, but rather, that the
invoker is code I have written and hosted on the Zope instance.  I also
need to be "relatively sure" that the protected code runs only after
certain operations have been invoked, not at arbitrary points.
 
My current scheme involves explicitly adding a magic cookie (such as
"itshot":"tabasco") to the request object in the invoker, and then
looking for that cookie before executing "protected" code, in the
method.
 
I skipped the idea of using an acl_users in the protected folder, and
switching the current user to one of the authenticated users in the
protected folder ... or simpler, to explicitly setting a more powerful
role, because of the complexity of the code (I was lazy).
 
Thus, in http://zope/foobar.tal  I have <span tal:omit-tag=""
tal:define="foo python:request.set('ishot','tabasco')"> ... use
context.protected.method() .... </span>
 
And in http://zope/protected/method  I have something like:
 
if request.has_key('ishot'):
...
 
Your suggestion to use proxy roles implies a scheme whereby either
http://zope/protected/method is called through another method that adds
the appropriate role via its proxy mechanism, or is itself set to proxy
to the required role.  The issue with this is that the proxy role is set
at invoke time, instead of by logic within the method.
 
A.
 

-----Original Message-----
From: zope-admin@zope.org [mailto:zope-admin@zope.org] On Behalf Of
Kevin Carlson
Sent: Thursday, December 26, 2002 9:44 PM
To: Andrew Athan; zope@zope.org
Subject: RE: [Zope] Idiom for accessing restricted capabilities


Sounds like you should use a proxy role for the methods in question.
 
Kevin

-----Original Message-----
From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of
Andrew Athan
Sent: Thursday, December 26, 2002 6:47 PM
To: zope@zope.org
Subject: [Zope] Idiom for accessing restricted capabilities


 
Say you have a site which must perform certain restricted activites, but
those activities should be invokable by anonymous users IF AND ONLY IF
the users initiate them from an authorized source (e.g., a specific DTML
or ZPT script)...what is the recommended way of setting this up?
 
Example:  Site X allows anonymous users to purchase an item.  The
purchase() method is defined to be accessible only by a specific
trusted/authenticated user.  The purchase() method should not be
invokable by the anonymous user, but if the anonymous user access the
checkout page template, that page template should be able to invoke
purchase().
 
Now, say I want to invoke purchase() from an ExternalMethod that is
called from an anonymous context, what's the preferred way of setting
and supplying the appropriate credentials?
 
I have solved these problems "my way," think the solution is hairy and
dirty, and would therefore like to see what people's recommended
solutions are.
 
A.
 


------=_NextPart_000_0035_01C2AD93.BF032F90
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1126" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =
size=3D2>I do=20
not believe this is enough for me (also, external methods do not =
implement the=20
proxy mechanism).</FONT></SPAN></DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =
size=3D2>I need=20
to have some degree of confidence that the invoker of the method is not =
someone=20
typing a URL at their browser, but rather, that the invoker is code I =
have=20
written and hosted on the Zope instance.&nbsp; I also need to be =
"relatively=20
sure" that the protected code runs only after certain operations have =
been=20
invoked, not at arbitrary points.</FONT></SPAN></DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =
size=3D2>My=20
current scheme involves explicitly adding a magic cookie (such as=20
"itshot":"tabasco") to the request object in the invoker, and then =
looking for=20
that cookie before executing "protected" code, in the=20
method.</FONT></SPAN></DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT>&nbsp;</DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =
size=3D2>I=20
skipped the idea of using an acl_users in the protected folder, and =
switching=20
the current user to one of the authenticated users in the protected =
folder ...=20
or simpler, to explicitly setting a more powerful role, because of the=20
complexity of the code (I was lazy).</FONT></SPAN></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT>&nbsp;</DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =
size=3D2>Thus,=20
in <A href=3D"http://zope/foobar.tal">http://zope/foobar.tal</A>&nbsp; I =
have=20
&lt;span tal:omit-tag=3D"" tal:define=3D"foo=20
python:request.set('ishot','tabasco')"&gt; ... use =
context.protected.method()=20
.... &lt;/span&gt;</FONT></SPAN></DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =
size=3D2>And in=20
<A =
href=3D"http://zope/protected/method">http://zope/protected/method</A>&nb=
sp; I=20
have something like:</FONT></SPAN></DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =
size=3D2>if=20
request.has_key('ishot'):</FONT></SPAN></DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2>...</FONT></SPAN></DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =
size=3D2>Your=20
suggestion to use proxy roles implies a scheme whereby either <A=20
href=3D"http://zope/protected/method">http://zope/protected/method</A> =
is called=20
through another method that adds the appropriate role via its proxy =
mechanism,=20
or is itself set to proxy to the required role.&nbsp; The issue with =
this is=20
that the proxy role is set at invoke time, instead of by logic within =
the=20
method.</FONT></SPAN></DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2>A.</FONT></SPAN></DIV>
<DIV><SPAN class=3D343282114-27122002><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
  face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
  zope-admin@zope.org [mailto:zope-admin@zope.org] <B>On Behalf Of =
</B>Kevin=20
  Carlson<BR><B>Sent:</B> Thursday, December 26, 2002 9:44 =
PM<BR><B>To:</B>=20
  Andrew Athan; zope@zope.org<BR><B>Subject:</B> RE: [Zope] Idiom for =
accessing=20
  restricted capabilities<BR><BR></FONT></DIV>
  <DIV><SPAN class=3D202124202-27122002><FONT face=3DArial =
color=3D#0000ff=20
  size=3D2>Sounds like you should use a proxy role for the methods in=20
  question.</FONT></SPAN></DIV>
  <DIV><SPAN class=3D202124202-27122002><FONT face=3DArial =
color=3D#0000ff=20
  size=3D2></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D202124202-27122002><FONT face=3DArial =
color=3D#0000ff=20
  size=3D2>Kevin</FONT></SPAN></DIV>
  <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
    <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
    size=3D2>-----Original Message-----<BR><B>From:</B> =
zope-admin@zope.org=20
    [mailto:zope-admin@zope.org]<B>On Behalf Of </B>Andrew =
Athan<BR><B>Sent:</B>=20
    Thursday, December 26, 2002 6:47 PM<BR><B>To:</B>=20
    zope@zope.org<BR><B>Subject:</B> [Zope] Idiom for accessing =
restricted=20
    capabilities<BR><BR></FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial =
size=3D2>Say you have a=20
    site which must perform certain restricted activites, but those =
activities=20
    should be invokable by anonymous users IF AND ONLY IF the users =
initiate=20
    them from an authorized source (e.g., a specific DTML or ZPT =
script)...what=20
    is the recommended way of setting this up?</FONT></SPAN></DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
    size=3D2></FONT></SPAN>&nbsp;</DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial =
size=3D2>Example:&nbsp;=20
    Site X allows anonymous users to purchase an item.&nbsp; The =
purchase()=20
    method is defined to be accessible only by a specific =
trusted/authenticated=20
    user.&nbsp; The purchase() method should not be invokable by the =
anonymous=20
    user, but if the anonymous user access the checkout page template, =
that page=20
    template should be able to invoke purchase().</FONT></SPAN></DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
    size=3D2></FONT></SPAN>&nbsp;</DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial =
size=3D2>Now, say I want=20
    to invoke purchase() from an ExternalMethod that is called from an =
anonymous=20
    context, what's the preferred way of setting and supplying the =
appropriate=20
    credentials?</FONT></SPAN></DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
    size=3D2></FONT></SPAN>&nbsp;</DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial size=3D2>I =
have solved=20
    these problems "my way," think the solution is hairy and =
dirty,&nbsp;and=20
    would therefore like to see what people's recommended solutions=20
    are.</FONT></SPAN></DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
    size=3D2></FONT></SPAN>&nbsp;</DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
    size=3D2>A.</FONT></SPAN></DIV>
    <DIV><SPAN class=3D718432823-26122002><FONT face=3DArial=20
    =
size=3D2></FONT></SPAN>&nbsp;</DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTM=
L>

------=_NextPart_000_0035_01C2AD93.BF032F90--