Zope: Restricted URL Traversal
What is meant by Restricted URL Traversal is the possibility to prevent cross site access in Zope. Let's say we have the following structure:
root | |____ Folder1 (Root for www.domain1.tld) | | | |____ index_html | | | |____ images | |____ Folder2 (Root for www.domain2.tld) | |____ index_html
Because of Zope's path traversal and acquisition it is possible to access the content of Folder1 under the URL http://www.domain2.tld/Folder1. How to prevent this behaviour as centralized as possible?
Well, in Zope you can set Access Rules for objects in the ZMI. These Access Rules are executed on each request before all traversal publishing is done. Therefore you do not know anything about the final context or the authentication. That is what we have to change first by use of a Post Traversal Hook.
Under the root folder of your ZMI create a Script (Python) and name it access_rule. Give it two parameters (folder, request) and the body of this snippet.
Now make it an Access Rule as explained here. After that you have something like the precondition attribute of a file object. Just add a Script (Python) with the id post_traverse_access_rule to a folder you want to control and it will be called on each request of any object under that folder. The script should return a dictionary which can contain the following attributes:
If set to true, your script will be called each time the traversal machinery comes upon the container of your script.
If set to true, return values of your script will be applied also when the user has a manager role, otherwise they are ignored. Use with care!
Could be set to a list or whitespace seperated string of allowed hostnames (eg.
['domain1.com', 'www.domain2.net', 'ssl.domain3.org']). Each request with an invalid hostname gets a NotFound error message.
If set to true, you cannot traverse upon that folder. A list of allowed paths can be passed.
Can be set to
bothand prevents cross traversal.
This attribute specifies a URL the user will be redirected to.
Set this attribute if you want to return a value. Is it an exception it will be raised. Note that this value will be the final response to the user.
Any return value other than a dictionary will be ignored because of the ability to lock yourself out of Zope. Exceptions are collected and added to the REQUEST object (access_rule_errors). Should you lock yourself out of Zope you can try to disable the Access Rule by adding _SUPPRESS_ACCESSRULE to the URL or restart Zope with
suppress-all-access-rules on in zope.conf.