[Zope] calling scripts from scripts and permission

Robert Rottermann robert at redcor.ch
Thu Nov 25 14:02:49 EST 2004


Massimo,
there are two things to consider.
The rights of the first script which is manager and should therefore be 
enough for what ever you want to do.
BUT:
the maximum rights it can acquire when running the second script are the 
ones the owner of that script has.
To avoid cross scripting attacks a script will always run with the 
rights of the script owner.
Otherwise you could try to trick some manager to execute a malicious 
script you do not have enough credentials to run.

Robert

massimop at users.berlios.de wrote:
> Hi
> 
> I would like to call script (the one called 'Script (python)', it should
> manage the properties of a Folder) from another that have a proxy of
> Manager
> 
> My guess was that in this way the first one would be executed with
> Manager role, but actually I was wrong... it complain that I'm not
> "allowed to access 'manage_changeProperties' in this context"
> 
> Am I doing something weird, or is this the way it should work? 
> 
> P.S.
> the same (first) script, called on the same Folder object whe the
> authenticated user is the owner of the Folder, works
> 
> 
> thanks
> massimo
> 
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
> 
> 



More information about the Zope mailing list