[ZPT] How are you ZPT users securing your interfaces?

Dieter Maurer dieter at handshake.de
Wed Feb 2 16:32:42 EST 2005


Kevin Gill wrote at 2005-2-1 20:19 -0000:
> ...
>I have a Zope application written using Page Templates (Presentation 
>Templates?) to interface to the user. I cannot see how to prevent a 
>malicious visitor from by-passing the Template and accessing the python 
>scripts and ZSQL methods behind it.

I posted a really long time ago an External Method
that allows you to give any object an "index_html" method.

If an object has a (non "None") "index_html" method, then
ZPublisher will call it.

Effectively, you can control in this way, how the object
behaves when called via the Web.
With an appropriate "index_html" you can prevent such calls.


Another option is to use a special folder that restricts
(URL-) traversal through it. I think, there is a product
for this (newer used it though).


I agree that all these approaches are work arounds only.
Zope should have a special permission (say "URL callable")
to control whether a object can be called via the Web.
But, it does not do ...


-- 
Dieter


More information about the ZPT mailing list