[Zope] Security of a Web Application in Zope

Dieter Maurer dieter at handshake.de
Thu Sep 25 14:46:35 EDT 2003


Edward Pollard wrote at 2003-9-24 11:32 -0600:
 > ...
 > Let me demonstrate with an example:
 > The project heirarchy basically looks like this:
 > 
 > /root
 >    index.html
 >    otherfiles.html
 >    /queries
 >        all Z SQL Methods
 >    /scripts
 >        all python scripts
 > 
 > ...
 > I *thought* that perhaps I could revoke all rights to Anonymous from 
 > the methods and scripts, and then give them to Owner, and Proxy Role 
 > the .html files to Owner, but that seems to block inter-script and 
 > script-to-query calls. I would have to Proxy Role every object, of 
 > which there is no easy interface to do so.
 > 
 > Anyone with better thoughts on securing my scenario? (Or, indeed, if I 
 > need to turn my scenario on its head?)

Someone else already suggested that grouping by type
is not the best approach for Zope...


When you want to prevent activation by ZPublisher,
then there is some product "TraversableFolder" (or something
similar) that allows you to control traversal through the
folder. I think, you can specify that only traversal from
local intranet addresses are possible.
A similar effect can be achieved with a SiteAccess AccessRule
on the folder.



Dieter



More information about the Zope mailing list