[ZPT] No proxy roles in page templates? What do I do then?

Itai Tavor itai@optusnet.com.au
Wed, 26 Sep 2001 09:46:06 +1000


Evan Simpson wrote:

>Itai Tavor wrote:
>
>>I just discovered that page templates don't have proxy roles. From 
>>the fact that nobody is complaining, I assume there must be some 
>>new, ZPT way of doing things that doesn't require proxy roles... I 
>>hope there is. Anyone wants to tell me what it is? Seems to me that 
>>this severely limits how secure I can make products...
>
>
>Use a Script.  Templates and Scripts cooperate quite well.

I don't see how that would help... unless you mean that index.html 
would be a script, which would use a proxy role to access protected 
information and then render a protected PT. But that would be much 
too ugly and convoluted.

If you mean that the PT will call a script which has proxy roles, 
that wouldn't help at all IMO, because the script will need to be 
publicly accessible, opening a security hole.

I want to ensure that certain object interface methods are only 
called by authorized methods, and are not accessible TTW nor by DTML 
or PT methods written by other Zope users. So I protect those 
interfaces with a permission that I only give to the Manager role, 
and I give the Manager proxy role to the UI methods that need to 
access those interfaces. But this can't be done with PTs. If I create 
a script to access the protected interfaces, then that script exposes 
the protected data both TTW and to other Zope users, right?

For now, I removed the doc strings from the interface methods I want 
protected so they're not accessible TTW, and I don't allow anyone 
else to create Zope content in this server. But this is a band-aid 
solution. Surely there must be a better way?

Itai
-- 
--
Itai Tavor                      -- "Je sautille, donc je suis."    --
itai@optusnet.com.au            --               - Kermit the Frog --
--                                                                 --
-- "If you haven't got your health, you haven't got anything"      --