[Erp5-dev] limiting/preveneting invoking scripts by URL - any good and correct way?
Yoshinori Okuji
yo at nexedi.com
Tue Nov 25 21:57:40 CET 2008
On Tuesday 25 November 2008 12:01:42 Łukasz Nowak wrote:
> Hello,
>
> What is the good and correct way[tm] to prevent invoking scripts from
> URL?
I don't think we have any generic consensus about this.
> I saw somewhere some kind of trick:
>
> params: REQUEST=None, **kwargs
>
> if REQUEST is not None:
> do someting, eg. raise
>
> Is there any "official" way to have such behaviour? Are above trick do
> have any flaws? Is there any better way to prevent users from invoking
> scripts by URL? Some script-based security checks to do it only by
> managers for example?
Personally, I don't think it is so important to prevent invoking any script
directly from an URL. What's important is to guarantee that the script is
invoked with good parameters and a good context by an appropriate user. It
should not be critical from where it is invoked.
If you can accept this argument above, it is a matter of security and sanity
checks.
I think you may avoid the argument, only if it is too heavy to make
restrictive checks or too difficult to make sure that the conditions are sane
only by a callee. In this case, I myself prefer to write code in a Product.
Regards,
YO
--
Yoshinori Okuji, Nexedi KK President / Nexedi SA CTO
Nexedi: Consulting and Development of Free / Open Source Software
http://www.nexedi.co.jp/
ERP5: Full Featured High End Open Source ERP
http://www.erp5.com/
ERP5 Wiki: Developer Zone for ERP5 Community
http://www.erp5.org/
More information about the Erp5-dev
mailing list