Security gap in "Manage users" & "Manage permissions" permissions (IMHO)
One thing I like about proxy roles is that you can't give a proxy role for a role you don't have. Equally, IMHO when you have the "Change permissions" permission you shouldn't be able to grant permissions you don't have. And if we want completeness, when you have "Manage users" you shouldn't be able to give roles you don't have _except_ if you're Manager (because otherwise it would be impossible to create new roles...) Is there a flaw in my reasoning? (What I'd like to do in practice is create an "Admin" role for a subsite and grant "Manage users" to this role, so that they can create new users and grant the "Admin" and "Narrador" roles for other users. But as it currently stands, if I give them "Manage users" they can grant "Manager" to themselves and do pretty much anything.) []s, |alo +---- -- Hack and Roll ( http://www.hackandroll.org ) News for, uh, whatever it is that we are. http://www.webcom.com/lalo mailto:lalo@hackandroll.org pgp key in the personal page Brazil of Darkness (RPG) --- http://zope.gf.com.br/BroDar
On Fri, 31 Mar 2000, Lalo Martins wrote:
One thing I like about proxy roles is that you can't give a proxy role for a role you don't have.
Equally, IMHO when you have the "Change permissions" permission you shouldn't be able to grant permissions you don't have. And if we want completeness, when you have "Manage users" you shouldn't be able to give roles you don't have _except_ if you're Manager (because otherwise it would be impossible to create new roles...)
Is there a flaw in my reasoning?
It sounds pretty good to me. Maybe the way to do this is with a "Assign other roles" permission: Allow the user to assign roles they aren't assigned themselves. Then only give this permission to the Manager role. Then when you manage users, if you are assigning a role you have, it works, and if you don't have it, it only works if you have "Assign other roles". Or maybe it should be "Assign any role" for emphasis. I have been thinking about this problem a bit myself, because the project I am working on will have users that need to manage other users, but not necessarily have full access, and was coming to the conclusion that the expedient way to do it was to subvert the system altogether (since I am using GUF+MySQL). But if I can tie this into the standard Zope user management stuff, all the better. -- andy dustman | programmer/analyst | comstar.net, inc. telephone: 770.485.6025 / 706.549.7689 | icq: 32922760 | pgp: 0xc72f3f1d "Therefore, sweet knights, if you may doubt your strength or courage, come no further, for death awaits you all, with nasty, big, pointy teeth!"
participants (2)
-
Andy Dustman -
Lalo Martins