Mailing List Archive

Hi Rich,

I am not aware of any method to stop a script from being directly
called. You can however check this in the script itself.

You could try something like this (untested):
> if context.REQUEST.get("PUBLISHED") == script:
> #raise an error here

This checks if the currently published object equals the current script.

Bart

On 11/18/11 19:05, Richard Harley wrote:
> Hello all
>
> I have a dtml method which builds a page from various different python
> scripts.
> How can I stop the python scripts from being called and passed variables
> independently of the main dtml method? I've tried some research on proxy
> roles but couldn't pin it down. ZSQL methods are not callable
> independently and I would like Python Scripts to behave the same.
> TIA
> Rich
> _______________________________________________
> Zope maillist - Zope@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
>
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

Rich,

You can modify the permissions on each of your python scripts to require some role, say "gatekeeper" and then proxy your front-end script to have the role "gatekeeper". Then, only users or scripts with the role "gatekeeper" can call the script directly.

Brian Brinegar
Purdue University

----- Original Message -----
From: "Richard Harley" <richard@scholarpack.com>
To: zope@zope.org
Sent: Friday, November 18, 2011 1:05:27 PM
Subject: [Zope] Python Script Security

Hello all

I have a dtml method which builds a page from various different python
scripts.
How can I stop the python scripts from being called and passed variables
independently of the main dtml method? I've tried some research on proxy
roles but couldn't pin it down. ZSQL methods are not callable
independently and I would like Python Scripts to behave the same.
TIA
Rich
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Richard Harley wrote:
ZSQL methods are not callable
> independently

I have strong doubts about that claim.

- -aj
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQGUBAEBAgAGBQJOx1dhAAoJEADcfz7u4AZjfzgLv2u1lysJYgKfhg6TSYN3hc0E
UXaxu6odJX1ONxPmP0RIaYy1qKW10tF5uzvNk2OfY7N+11MhE6ZB9en0HsUsp3Yx
YYilBV3vh6AZ5CCRyftJ9WwBEgN/knEb254F/Xs2Ieclh1yFEcrBFy918p+jwEp7
yUBHWOYBlHylx1P3qWtIQ13S5mNVGAugVpST+1XT4ks84jhk4H9aPreROzIPGZDu
dPgJ/9wuztwHa4Yb6yQ6NtN5uWdv23hBlEd06Z4v1FgtlDGdDrIR489eFWaAZXJl
KdgPOBVXNeh6TuccvqK4pkguDUQpZLpYOzwy/OvdJHxzWy4ziHerScY4HvDVMULT
97b2oszPHAzMwXM9W3Lq2kR9P6fem6pM6aETot9aAChtKafTHt0C/sMJOuenI89B
h2GERRYK7nf72tREVBpb6kcxuLYpokzDgDaHmcyT/gUgTG02C4CTQOuDfmOfp7rL
1kGBTv9HVvTONKcoXjEwDJHab/vOmPM=
=+Nx/
-----END PGP SIGNATURE-----

Thanks Bart and Brian, I will investigate those. Andreas - how is a zsql method
rendered and called through the browser?
Thanks
Rich



Quoting Andreas Jung <lists@zopyx.com>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Richard Harley wrote:
> ZSQL methods are not callable
> > independently
>
> I have strong doubts about that claim.
>
> - -aj
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQGUBAEBAgAGBQJOx1dhAAoJEADcfz7u4AZjfzgLv2u1lysJYgKfhg6TSYN3hc0E
> UXaxu6odJX1ONxPmP0RIaYy1qKW10tF5uzvNk2OfY7N+11MhE6ZB9en0HsUsp3Yx
> YYilBV3vh6AZ5CCRyftJ9WwBEgN/knEb254F/Xs2Ieclh1yFEcrBFy918p+jwEp7
> yUBHWOYBlHylx1P3qWtIQ13S5mNVGAugVpST+1XT4ks84jhk4H9aPreROzIPGZDu
> dPgJ/9wuztwHa4Yb6yQ6NtN5uWdv23hBlEd06Z4v1FgtlDGdDrIR489eFWaAZXJl
> KdgPOBVXNeh6TuccvqK4pkguDUQpZLpYOzwy/OvdJHxzWy4ziHerScY4HvDVMULT
> 97b2oszPHAzMwXM9W3Lq2kR9P6fem6pM6aETot9aAChtKafTHt0C/sMJOuenI89B
> h2GERRYK7nf72tREVBpb6kcxuLYpokzDgDaHmcyT/gUgTG02C4CTQOuDfmOfp7rL
> 1kGBTv9HVvTONKcoXjEwDJHab/vOmPM=
> =+Nx/
> -----END PGP SIGNATURE-----
>
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )