I want to fix App.Management.Tabs.manage_workspace
Hi there, App.Management.Tabs.manage_workspace sucks as I've described in http://zope.org/Collectors/Zope/1286: 1. manage_workspace is only protected by the Authenticated role, and that is done directly, not even through a permission. 2. self.filtered_manage_roles then limits the options of what can be shown, which might end up being nothing. But, because the method is only protected by 'Authenticated', no chance is given to specify other user credentials (say, from a user folder higher up in the tree) which might be able to see something. 3. There's a bare try/except which masks errors. From what I can see, it should ONLY catch IndexError's. 4. The "raise TypeError" could do with some explanation. 5. The Unauthorized could raise a more helpful message "You are not authorized to view an of this object's management itnerface" What do people feel about the right way to solve this? 3,4 and 5 I'm comfortable with fixing, but I'm stumped as to what "the right thing" is to do on 1 and 2 which combine to create a thorny problem. The semantics I want are: "Show the 1st management tab the user is allowed to see, if they're not allowed to see anything, check if a user of the same name further up the userfolder tree can see anything" Is that right? If so, how do I go about implementing it? Finally, what branches should I do this on? cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
On Mon, 19 Apr 2004 10:16:08 +0100 Chris Withers <chris@withers.eclipse.co.uk> wrote:
Hi there,
App.Management.Tabs.manage_workspace sucks as I've described in http://zope.org/Collectors/Zope/1286:
1. manage_workspace is only protected by the Authenticated role, and that is done directly, not even through a permission.
I think that is probably because this method is an abstraction for the default managment screen. It does not know what the correct permission is, but assumes you at least must be logged in to see any management screen. What are you suggesting to do about this?
2. self.filtered_manage_roles then limits the options of what can be shown, which might end up being nothing. But, because the method is only protected by 'Authenticated', no chance is given to specify other user credentials (say, from a user folder higher up in the tree) which might be able to see something.
Can you give a concrete use case for what you describe?
3. There's a bare try/except which masks errors. From what I can see, it should ONLY catch IndexError's.
Yep, bare excepts == bad. Kill it.
4. The "raise TypeError" could do with some explanation.
Ok.
5. The Unauthorized could raise a more helpful message "You are not authorized to view an of this object's management itnerface"
-0, I think it may be better to say nothing which discloses less information to would-be attackers. Perhaps VerboseSecurity might be able to elaborate, I dunno.
What do people feel about the right way to solve this? 3,4 and 5 I'm comfortable with fixing, but I'm stumped as to what "the right thing" is to do on 1 and 2 which combine to create a thorny problem.
The semantics I want are: "Show the 1st management tab the user is allowed to see, if they're not allowed to see anything, check if a user of the same name further up the userfolder tree can see anything"
Why? Is this consistent with behavior elsewhere? Are you concerned that lower user folders could lock out global managers by creating non-privileged users with the same name locally? I say YAGNI unless this behavior is somehow inconsistent.
Is that right? If so, how do I go about implementing it? Finally, what branches should I do this on?
2.7 and the HEAD are likely suspects for bug fixes. I doubt there will be another 2.6 release. -Casey
Casey Duncan wrote:
1. manage_workspace is only protected by the Authenticated role, and that is done directly, not even through a permission.
I think that is probably because this method is an abstraction for the default managment screen. It does not know what the correct permission is, but assumes you at least must be logged in to see any management screen.
What are you suggesting to do about this?
My current thinking is "I don't know" ;-) I'm hoping discussion here can firm that up a bit...
2. self.filtered_manage_roles then limits the options of what can be shown, which might end up being nothing. But, because the method is only protected by 'Authenticated', no chance is given to specify other user credentials (say, from a user folder higher up in the tree) which might be able to see something.
Can you give a concrete use case for what you describe?
See below...
3. There's a bare try/except which masks errors. From what I can see, it should ONLY catch IndexError's.
Yep, bare excepts == bad. Kill it.
Will do :-)
5. The Unauthorized could raise a more helpful message "You are not authorized to view an of this object's management itnerface"
-0, I think it may be better to say nothing which discloses less information to would-be attackers. Perhaps VerboseSecurity might be able to elaborate, I dunno.
I don't understand VerboseSecurity enough to make this happen. Since the error message is already different from a "real" auth error, I'd say that vulnerability is already there, and so making it more informative to people it might help is not going to make Zope less secure...
The semantics I want are: "Show the 1st management tab the user is allowed to see, if they're not allowed to see anything, check if a user of the same name further up the userfolder tree can see anything"
Why? Is this consistent with behavior elsewhere?
It's consistent with how Zope userfolders work, yes...
Are you concerned that lower user folders could lock out global managers by creating non-privileged users with the same name locally?
Exactly. And since I did this to myself only to spend a morning going "huh?", I figure this code is not quite right...
2.7 and the HEAD are likely suspects for bug fixes. I doubt there will be another 2.6 release.
Righty, so, now just to figure out what to do... Chris PS: Are there any unit test for this? har har har har... -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Chris Withers wrote:
Hi there,
App.Management.Tabs.manage_workspace sucks as I've described in http://zope.org/Collectors/Zope/1286:
1. manage_workspace is only protected by the Authenticated role, and that is done directly, not even through a permission.
It is designed to work "above" the permission structure, by showing you only those tabs you are allowed to see. Note that this means that you can build an application which exposes the ZMI to non-manager users, as long as that application does not assign them permissions corresponding to the "manager" views.
2. self.filtered_manage_roles then limits the options of what can be shown, which might end up being nothing. But, because the method is only protected by 'Authenticated', no chance is given to specify other user credentials (say, from a user folder higher up in the tree) which might be able to see something.
If you are already authenticated, then somebody (likely the publisher) has found a user who matches your credentials; that is who you are, for the duration of the request. It would be a *terrible* idea to make this one spot subvert the security machinery this way. Nothing else in Zope does this.
3. There's a bare try/except which masks errors. From what I can see, it should ONLY catch IndexError's.
As Casey says, "kill it dead".
4. The "raise TypeError" could do with some explanation.
The TypeError breaks out of what would otherwise be either infinite recursion (via a bug in some product), or else malicious subversion. No "real" ZMI tab may have 'manage_workspace' as its action.
5. The Unauthorized could raise a more helpful message "You are not authorized to view an of this object's management itnerface"
-0.
What do people feel about the right way to solve this? 3,4 and 5 I'm comfortable with fixing, but I'm stumped as to what "the right thing" is to do on 1 and 2 which combine to create a thorny problem.
The semantics I want are: "Show the 1st management tab the user is allowed to see, if they're not allowed to see anything, check if a user of the same name further up the userfolder tree can see anything"
-1, as above, to checking up the tree. Your credentials identify you, period. Designing for the degenerate case where mutilple users with the same login and password exist at different "depths" from the root, but with different roles, is not a good plan.
Is that right? If so, how do I go about implementing it? Finally, what branches should I do this on?
Definitely not the 2.6 branch; it is closed to anything but urgent security fixes. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
participants (4)
-
Casey Duncan -
Chris Withers -
Chris Withers -
Tres Seaver