-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cliff Ford wrote:
My people want to adopt a single sign-on system for web applications that is based on the REMOTE_USER environment variable. I have tried out RemoteUserFolder and also adapted exUserFolder to work similarly.
My problem is that I figured out how a user who has permission to create python scripts (might work with dtml and page templates too) could access otherwise forbidden content by making calls that pretend to come from another user. Has any one else come across this problem and devised a solution, either in software or organisation?
Problem verified with Zope 2.9.2 and latest RemoteUserFolder
User folders who care need to look at the request's 'environ' dict, e.g.:: remote_user = request.environ['REMOTE_USER'] # not hackable rather than the default one where untrusted code can scribble:: remote_user = request['REMOTE_USER'] # hackable Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEaMVi+gerLs4ltQ4RAqUIAJsHpcPQTX7jv+db+DRG9TApaIImVQCgqCZn lPXu2KJoCLtTOSTyUJTIJ24= =3r0r -----END PGP SIGNATURE-----