[Zope] Using Access Rules

Dennis Allison allison at sumeru.stanford.EDU
Fri Apr 30 18:28:12 EDT 2004


I want to add some special checking to prevent direct, through the web
access to authenticated users who, I discover, can get a second browser
window and move around the site from URL independent of access path.

Suppose I have pages stored in a folder structure rooted at /foo.  The 
view security permission on /foo/...  requires an Authenticated User.
Normally pages are served from /foo/... under programatic control and 
additional constraints are applied.  But, if the user creates another
browser window and if he/she knows the URL (or the root URL) they can 
move about /foo/... however they want by simply entering the URL into 
the browser.  (This works because they are authenticated and the 
authentication is shared in the browser.)

An access rule seems to be the right mechanism for this sort of test,
but I don't quite understand how to manage the control flow.  I put the 
access rule in /foo.  It gets executed when /foo is traversed.
Now, it appears that the access rules are executed for side-effects 
only.  If that's the case, the way an error message is returned to the 
caller is by modifying REQUEST to reference the error message object 
and not the object originally specified.  Returning without changing 
the REQUEST allows Zope to continue traversing the path.

Is my model correct?





More information about the Zope mailing list