Mailing List Archive: Zope: Users

how to prevent URL access to an external method?

Index | Next | Previous | View Threaded

pedrolawrench at yahoo

Apr 28, 2009, 8:04 AM

Post #1 of 14 (2901 views)
Permalink

how to prevent URL access to an external method?

I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?

Thanks,
PL

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

lukesh at seznam

Apr 28, 2009, 8:07 AM

Post #2 of 14 (2800 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

Click at the Proxy tab at method with "View" permission

----- Original Message -----
From: "Pedro LaWrench" <pedrolawrench [at] yahoo>

I need to do something on the filesystem, which requires unrestricted
python, so I created an external method. The problem is that anyone can call
that directly via URL, so I added a permission check. Even then, users with
the sufficient permissions can call this via URL, which I don't want them to
do. I only want them to have access indirectly from other pages (such as a
page template that will pass sane parameters). Is there anyway to do this?

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

dev101 at magma

Apr 28, 2009, 8:08 AM

Post #3 of 14 (2803 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

Within the ExternalMethod you could check the ACTUAL_URL variable (in
REQUEST) and if the name of the external method is found you could redirect
the user to a "you're a baaad user" page.

Jonathan

----- Original Message -----
From: "Pedro LaWrench" <pedrolawrench [at] yahoo>
To: <zope [at] zope>
Sent: Tuesday, April 28, 2009 11:04 AM
Subject: [Zope] how to prevent URL access to an external method?

I need to do something on the filesystem, which requires unrestricted
python, so I created an external method. The problem is that anyone can call
that directly via URL, so I added a permission check. Even then, users with
the sufficient permissions can call this via URL, which I don't want them to
do. I only want them to have access indirectly from other pages (such as a
page template that will pass sane parameters). Is there anyway to do this?

Thanks,
PL

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

--------------------------------------------------------------------------------

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.238 / Virus Database: 270.12.6/2084 - Release Date: 04/28/09
06:15:00

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

lists at zopyx

Apr 28, 2009, 8:09 AM

Post #4 of 14 (2811 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

Use a BrowserView?!

-aj

On Tue, Apr 28, 2009 at 17:04, Pedro LaWrench <pedrolawrench [at] yahoo>wrote:

>
> I need to do something on the filesystem, which requires unrestricted
> python, so I created an external method. The problem is that anyone can call
> that directly via URL, so I added a permission check. Even then, users with
> the sufficient permissions can call this via URL, which I don't want them to
> do. I only want them to have access indirectly from other pages (such as a
> page template that will pass sane parameters). Is there anyway to do this?
>
> Thanks,
> PL
>
>
>
> _______________________________________________
> Zope maillist - Zope [at] zope
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>

pedrolawrench at yahoo

Apr 28, 2009, 8:23 AM

Post #5 of 14 (2799 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

I don't know what this means. BTW, I'm using Zope 2.9.8, if that matters, along with Plone 2.5.4.

________________________________
From: Andreas Jung <lists [at] zopyx>
To: Pedro LaWrench <pedrolawrench [at] yahoo>
Cc: zope [at] zope
Sent: Tuesday, April 28, 2009 8:09:14 AM
Subject: Re: [Zope] how to prevent URL access to an external method?

Use a BrowserView?!

-aj

On Tue, Apr 28, 2009 at 17:04, Pedro LaWrench <pedrolawrench [at] yahoo> wrote:

I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?

Thanks,
PL

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

pedrolawrench at yahoo

Apr 28, 2009, 8:27 AM

Post #6 of 14 (2791 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

I like this idea. Is this a standard approach in the Zope world? Surely this is a relatively common problem...at least it seems to me that the intention of external methods is to provide support routines with unrestricted python that are never meant to be called directly by users. Or are external methods the wrong way to do this?

----- Original Message ----
From: Jonathan (dev101) <dev101 [at] magma>
To: Pedro LaWrench <pedrolawrench [at] yahoo>; zope [at] zope
Sent: Tuesday, April 28, 2009 8:08:03 AM
Subject: Re: [Zope] how to prevent URL access to an external method?

Within the ExternalMethod you could check the ACTUAL_URL variable (in REQUEST) and if the name of the external method is found you could redirect the user to a "you're a baaad user" page.

Jonathan

----- Original Message ----- From: "Pedro LaWrench" <pedrolawrench [at] yahoo>
To: <zope [at] zope>
Sent: Tuesday, April 28, 2009 11:04 AM
Subject: [Zope] how to prevent URL access to an external method?

I need to do something on the filesystem, which requires unrestricted python, so I created an external method. The problem is that anyone can call that directly via URL, so I added a permission check. Even then, users with the sufficient permissions can call this via URL, which I don't want them to do. I only want them to have access indirectly from other pages (such as a page template that will pass sane parameters). Is there anyway to do this?

Thanks,
PL

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

--------------------------------------------------------------------------------

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.238 / Virus Database: 270.12.6/2084 - Release Date: 04/28/09 06:15:00

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

tseaver at palladion

Apr 28, 2009, 8:38 AM

Post #7 of 14 (2803 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pedro LaWrench wrote:
> I need to do something on the filesystem, which requires unrestricted
> python, so I created an external method. The problem is that anyone
> can call that directly via URL, so I added a permission check. Even
> then, users with the sufficient permissions can call this via URL,
> which I don't want them to do. I only want them to have access
> indirectly from other pages (such as a page template that will pass
> sane parameters). Is there anyway to do this?

Add a REQUEST argument to your function, defaulting to None. The
publisher will always pass the request in for that argument, while the
other templates / scripts should not. E.g.:

def doSomething(self, REQUEST=None):
""" Don't call me directly via a URL!!!
"""
if REQUEST is not None:
raise ValueError('Wicked, evil, naughty Zoot!')

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver [at] palladion
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ9yLq+gerLs4ltQ4RAlj1AKDG4YIkceWD8yXpz0jvxqiN8Qlw2gCbBa9E
tCVUTkjoRIPL8YjSzFHY528=
=QbiL
-----END PGP SIGNATURE-----

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

pedrolawrench at yahoo

Apr 28, 2009, 8:42 AM

Post #8 of 14 (2803 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

Excellent. Thank you all for the suggests.

----- Original Message ----
From: Tres Seaver <tseaver [at] palladion>
To: zope [at] zope
Sent: Tuesday, April 28, 2009 8:38:18 AM
Subject: Re: [Zope] how to prevent URL access to an external method?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pedro LaWrench wrote:
> I need to do something on the filesystem, which requires unrestricted
> python, so I created an external method. The problem is that anyone
> can call that directly via URL, so I added a permission check. Even
> then, users with the sufficient permissions can call this via URL,
> which I don't want them to do. I only want them to have access
> indirectly from other pages (such as a page template that will pass
> sane parameters). Is there anyway to do this?

Add a REQUEST argument to your function, defaulting to None. The
publisher will always pass the request in for that argument, while the
other templates / scripts should not. E.g.:

def doSomething(self, REQUEST=None):
""" Don't call me directly via a URL!!!
"""
if REQUEST is not None:
raise ValueError('Wicked, evil, naughty Zoot!')

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver [at] palladion
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ9yLq+gerLs4ltQ4RAlj1AKDG4YIkceWD8yXpz0jvxqiN8Qlw2gCbBa9E
tCVUTkjoRIPL8YjSzFHY528=
=QbiL
-----END PGP SIGNATURE-----

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

lukesh at seznam

Apr 28, 2009, 8:50 AM

Post #9 of 14 (2803 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

Why? It is more transparent and better way - use security tab.

----- Original Message -----
From: "Tres Seaver" <tseaver [at] palladion>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pedro LaWrench wrote:
>> I need to do something on the filesystem, which requires unrestricted
>> python, so I created an external method. The problem is that anyone
>> can call that directly via URL, so I added a permission check. Even
>> then, users with the sufficient permissions can call this via URL,
>> which I don't want them to do. I only want them to have access
>> indirectly from other pages (such as a page template that will pass
>> sane parameters). Is there anyway to do this?
>
> Add a REQUEST argument to your function, defaulting to None. The
> publisher will always pass the request in for that argument, while the
> other templates / scripts should not. E.g.:
>
> def doSomething(self, REQUEST=None):
> """ Don't call me directly via a URL!!!
> """
> if REQUEST is not None:
> raise ValueError('Wicked, evil, naughty Zoot!')

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

garito at sistes

Apr 28, 2009, 9:20 AM

Post #10 of 14 (2793 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

In my opinion Tres's way is the correct one for this case

Why? Because the original must be is to run the script only for internal
processes

The main diference between an internal call and a user one is the REQUEST
parameter and then the Tres's solution seems the more convenient way

It's only my opinion

2009/4/28 Jaroslav Lukesh <lukesh [at] seznam>

> Why? It is more transparent and better way - use security tab.
>
>
> ----- Original Message -----
> From: "Tres Seaver" <tseaver [at] palladion>
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Pedro LaWrench wrote:
> >> I need to do something on the filesystem, which requires unrestricted
> >> python, so I created an external method. The problem is that anyone
> >> can call that directly via URL, so I added a permission check. Even
> >> then, users with the sufficient permissions can call this via URL,
> >> which I don't want them to do. I only want them to have access
> >> indirectly from other pages (such as a page template that will pass
> >> sane parameters). Is there anyway to do this?
> >
> > Add a REQUEST argument to your function, defaulting to None. The
> > publisher will always pass the request in for that argument, while the
> > other templates / scripts should not. E.g.:
> >
> > def doSomething(self, REQUEST=None):
> > """ Don't call me directly via a URL!!!
> > """
> > if REQUEST is not None:
> > raise ValueError('Wicked, evil, naughty Zoot!')
>
> _______________________________________________
> Zope maillist - Zope [at] zope
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>

--
Mis Cosas
http://blogs.sistes.net/Garito
Zope Smart Manager
http://blogs.sistes.net/Garito/670

pedrolawrench at yahoo

Apr 28, 2009, 9:25 AM

Post #11 of 14 (2791 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

What would you change on the security tab? I still want my authenticated users to have access to the method as a call to it is made from unrestricted space (such as a page template), I just don't want them to call the method directly.

----- Original Message ----
From: Jaroslav Lukesh <lukesh [at] seznam>
To: zope [at] zope; Tres Seaver <tseaver [at] palladion>
Sent: Tuesday, April 28, 2009 8:50:29 AM
Subject: Re: [Zope] how to prevent URL access to an external method?

Why? It is more transparent and better way - use security tab.

----- Original Message -----
From: "Tres Seaver" <tseaver [at] palladion>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pedro LaWrench wrote:
>> I need to do something on the filesystem, which requires unrestricted
>> python, so I created an external method. The problem is that anyone
>> can call that directly via URL, so I added a permission check. Even
>> then, users with the sufficient permissions can call this via URL,
>> which I don't want them to do. I only want them to have access
>> indirectly from other pages (such as a page template that will pass
>> sane parameters). Is there anyway to do this?
>
> Add a REQUEST argument to your function, defaulting to None. The
> publisher will always pass the request in for that argument, while the
> other templates / scripts should not. E.g.:
>
> def doSomething(self, REQUEST=None):
> """ Don't call me directly via a URL!!!
> """
> if REQUEST is not None:
> raise ValueError('Wicked, evil, naughty Zoot!')

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

lukesh at seznam

Apr 28, 2009, 9:29 AM

Post #12 of 14 (2806 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

MEthod1: security allow view only for manager

Method2: contain calling of method1, security: view for anonymous or role
what you want for.

----- Original Message -----
From: "Pedro LaWrench" <pedrolawrench [at] yahoo>

What would you change on the security tab? I still want my authenticated
users to have access to the method as a call to it is made from unrestricted
space (such as a page template), I just don't want them to call the method
directly.

----- Original Message ----
From: Jaroslav Lukesh <lukesh [at] seznam>
To: zope [at] zope; Tres Seaver <tseaver [at] palladion>
Sent: Tuesday, April 28, 2009 8:50:29 AM
Subject: Re: [Zope] how to prevent URL access to an external method?

Why? It is more transparent and better way - use security tab.

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

regebro at gmail

Apr 28, 2009, 11:12 AM

Post #13 of 14 (2803 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

On Tue, Apr 28, 2009 at 18:25, Pedro LaWrench <pedrolawrench [at] yahoo> wrote:
>
> What would you change on the security tab? I still want my authenticated users to have access to the method as a call to it is made from unrestricted space (such as a page template)

A page template is restricted. If it really was unrestricted it would
be called from Python code on the hard disk, and then you wouldn't
need the external method.

> I just don't want them to call the method directly.

So Tres method is the simplest one that does just this.

--
Lennart Regebro: Python, Zope, Plone, Grok
http://regebro.wordpress.com/
+33 661 58 14 64
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

pedrolawrench at yahoo

Apr 28, 2009, 12:08 PM

Post #14 of 14 (2797 views)
Permalink

Re: how to prevent URL access to an external method? [In reply to]

Sorry, you are correct, I meant to say from restricted space. The external method is what gives me access to unrestricted python. I do plan on using Tres' method.

----- Original Message ----
From: Lennart Regebro <regebro [at] gmail>
To: Pedro LaWrench <pedrolawrench [at] yahoo>
Cc: Jaroslav Lukesh <lukesh [at] seznam>; zope [at] zope; Tres Seaver <tseaver [at] palladion>
Sent: Tuesday, April 28, 2009 11:12:20 AM
Subject: Re: [Zope] how to prevent URL access to an external method?

On Tue, Apr 28, 2009 at 18:25, Pedro LaWrench <pedrolawrench [at] yahoo> wrote:
>
> What would you change on the security tab? I still want my authenticated users to have access to the method as a call to it is made from unrestricted space (such as a page template)

A page template is restricted. If it really was unrestricted it would
be called from Python code on the hard disk, and then you wouldn't
need the external method.

> I just don't want them to call the method directly.

So Tres method is the simplest one that does just this.

--
Lennart Regebro: Python, Zope, Plone, Grok
http://regebro.wordpress.com/
+33 661 58 14 64

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads