[Erp5-dev] limiting/preveneting invoking scripts by URL - any good and correct way?
Vincent Pelletier
vincent at nexedi.com
Wed Nov 26 09:35:01 CET 2008
Le Tuesday 25 November 2008 12:01:42 Łukasz Nowak, vous avez écrit :
> What is the good and correct way[tm] to prevent invoking scripts from
> URL?
>
> I saw somewhere some kind of trick:
>
> params: REQUEST=None, **kwargs
>
> if REQUEST is not None:
> do someting, eg. raise
>
> Is there any "official" way to have such behaviour? Are above trick do
> have any flaws? Is there any better way to prevent users from invoking
> scripts by URL?
Just to add to the "kind of trick" list: if the script expects an object as a
parameter (not a marshalable type like ints, floats, strings, ... but more
like some persistent object) it should not be callable from URL (as long as
there is no way to pass an object via URL, of course).
But the applicable domain is restricted, and it's definitely not the "good and
correct" way you're looking for.
> Some script-based security checks to do it only by
> managers for example?
That's a bit different than preventing url call. Checking security would also
raise if that script is called from another script and user calling
the "original" script (by URL) is not manager. Proxy roles on either script
should not (AFAIK) affect that check, so setting a manager proxyrole
somewhere should have no effect.
--
Vincent Pelletier
More information about the Erp5-dev
mailing list