[Zope] Scripts run as least privileged user necessary?
Ken Causey
ken at kencausey.com
Thu Sep 4 09:52:30 EDT 2003
On Thu, 2003-09-04 at 03:54, Chris Withers wrote:
> Ken Causey wrote:
> > It is a precondition script whose goal is to try to prevent access to an
> > image unless you are viewing it embedded within a page of my site.
>
> A simpler solution is just to look at your logs every now and then and bitch at
> people who are hijacking images ;-)
See below for why that is not so easy.
>
> > The
> > closest I've been able to come to this goal is to add a value to the
> > session within the page and check in the precondition script for the
> > image that the value is defined. Although not ideal this works
> > sufficiently.
>
> I think that's about as good as it'll get, HTTP and HTML are not designed to do
> what you want them to...
>
> > Where I'm running into the problem I described above is that I wanted to
> > exempt managers from the check for the session variable. The obvious
> > way to do that seemed to be to check the role of the user.
>
> Indeed, but that's a nigh-on impossible task given the way HTTP and HTML work
> together...
I don't understand why. In the past I have made such checks in DTML and
ZPT pages and it seemed to work fine. Is it not a common task to have a
page that has different behaviour based on the roles of the user?
>
> > I welcome any alternatives you can suggest.
>
> Hmmm, why do you care so much about these images being hijacked?
Because past experience has told me it will happen. The most common
occurrence is that eBay users will use my pictures and bandwidth rather
than go to the trouble of making and hosting their own. This will be
exacerbated by the fact that I plan myself to post items on eBay as a
source of promotion. I really don't care to have to contact eBay all
the time to complain about this or have to scan logs for the
possibility. There are better ways to spend my time. So my preference
is to find a technological solution.
Ken
>
> cheers,
>
> Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.zope.org/pipermail/zope/attachments/20030904/8aa28550/attachment.bin
More information about the Zope
mailing list