tags:

views:

220

answers:

3
Q: 

Grant anonymous access to a specific url/action in Plone

I am running Plone 3.2.3 and I have installed HumaineMailman so that the users on the website can subscribe and unsubscribe themselves from our various mailinglists. HumaineMailman works very simple. There is a special URL/action that gives you a plain text list of all e-mail addresses that are subscribed on a list. For example:

http://www.example.org/[email protected]&password=secret

You're supposed to simply wget that URL and feed the plain text list into Mailman's sync_members. Easy.

The problem is that Plone does not allow me to access that URL anonymously. When I am logged in as administrator I can access the URL in my browser and see the list of e-mail addresses. But when I am not logged in (and when retrieving that URL using wget) then Plone redirects me to the login page.

How do I tell plone that I want to allow anonymous access to that URL/action? The action itself (in code) is defined in Products/HumaineMailman/skins/mailman_autolist_update.py.

Thanks in advance!

+2  A: 

Figure out what permission is protecting that page, and give that permission to the Anonymous role in the Plone root.

Lennart Regebro  2009-08-24 12:35:37
It didn't solve it for me, but it did point me in the right direction. Thanks.
Sander Marechal  2009-08-24 15:00:02
A: 

HumaineMailman needs ManagePortal permissions. Those are too much to give to Anonymous so Lennarts answer didn't solve it for me. Instead, I edited HumaineMailman and redeclared the respective function calls as public. This is a slight security risk though. My Plone is behind an Apache proxy so I compensated by only allow access to the memberlist from localhost (where the wget synchronisation script and mailman itself are running as well).

Sander Marechal  2009-08-24 15:03:49
A: 

There are a couple ways to address this without apache or redeclaring security (which would make me nervous too)

http://www.example.org:8080/[email protected]&password=secret&__ac_name=**USERNAME**&__ac_password=**PASSWORD**&pwd_empty=0&cookies_enabled=1&js_enabled=0&form.submitted=1"

I frequently use this trick in scripts with a special user only does "services". There is also a HTTP Auth trick that looks like http://USERNAME:PASSWORD@www.example.org/[email protected]&password=secret which may or may not be supported depending on your client lib.

Alternatively, if that code is running in a (script) Python then you can add a metadata file (myScript.py.metadata) and give that script a proxy permission of Manager.i.e.

[default]
title = Do something useful in the c/py that requires elevated privs
proxy = Manager
 2009-09-12 00:36:39

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python