[Zope] restricting permissions for direct access only
Lennart Regebro
regebro at gmail.com
Sat Feb 11 05:43:28 EST 2006
On 2/11/06, Michael Shulman <shulman at mathcamp.org> wrote:
> Is there a way in Zope to restrict permissions for direct access only
> (i.e. calling an object through the web) but still allow indirect
> access (i.e. executing an object that was called by another object
> that was called through the web)?
Yes. If that "other object" is disk-based python, it is most likely
able to do it already. If it is a python-script, you can set it up to
have a proxy role. That way your auxiliary scripts can all require
manager roles, and you can give the scripts that need to call them the
Manager proxy-role
> Feel free to tell me that I am misunderstanding the way security
> works, or is supposed to work, in Zope, or that if this is something I
> need to do I am designing my site incorrectly from the point of view
> of Zope security (and if so, what is the correct way to design it?).
No you seem to have got it. Although the next time you do something
that complex you might want to look into making a disk-based prodct
instead. It's often easier for complex features.
--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
More information about the Zope
mailing list