Grant anonymous access to a specific url/action in Plone

StackOverflow https://stackoverflow.com/questions/1321828

  •  19-09-2019
  •  | 
  •  

Question

I am running Plone 3.2.3 and I have installed HumaineMailman so that the users on the website can subscribe and unsubscribe themselves from our various mailinglists. HumaineMailman works very simple. There is a special URL/action that gives you a plain text list of all e-mail addresses that are subscribed on a list. For example:

http://www.example.org/mailman_autolist_update?list=mylist@example.org&password=secret

You're supposed to simply wget that URL and feed the plain text list into Mailman's sync_members. Easy.

The problem is that Plone does not allow me to access that URL anonymously. When I am logged in as administrator I can access the URL in my browser and see the list of e-mail addresses. But when I am not logged in (and when retrieving that URL using wget) then Plone redirects me to the login page.

How do I tell plone that I want to allow anonymous access to that URL/action? The action itself (in code) is defined in Products/HumaineMailman/skins/mailman_autolist_update.py.

Thanks in advance!

Was it helpful?

Solution 3

HumaineMailman needs ManagePortal permissions. Those are too much to give to Anonymous so Lennarts answer didn't solve it for me. Instead, I edited HumaineMailman and redeclared the respective function calls as public. This is a slight security risk though. My Plone is behind an Apache proxy so I compensated by only allow access to the memberlist from localhost (where the wget synchronisation script and mailman itself are running as well).

OTHER TIPS

There are a couple ways to address this without apache or redeclaring security (which would make me nervous too)

http://www.example.org:8080/mailman_autolist_update?list=mylist@example.org&password=secret&__ac_name=**USERNAME**&__ac_password=**PASSWORD**&pwd_empty=0&cookies_enabled=1&js_enabled=0&form.submitted=1"

I frequently use this trick in scripts with a special user only does "services". There is also a HTTP Auth trick that looks like http://**USERNAME:PASSWORD@**www.example.org/mailman_autolist_update?list=mylist@example.org&password=secret which may or may not be supported depending on your client lib.

Alternatively, if that code is running in a (script) Python then you can add a metadata file (myScript.py.metadata) and give that script a proxy permission of Manager.i.e.

[default]
title = Do something useful in the c/py that requires elevated privs
proxy = Manager

Figure out what permission is protecting that page, and give that permission to the Anonymous role in the Plone root.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top