RDBMS Applications and direct calling of script(python) and sql methods
I am looking to use zope for a database driven web application. For the most part zope looks like a good fit and will definatly speed up development. However, there seems to be a major security issue for database driven sites. Lets take simple example, assume that each user has an id that is keyed to his 'stuff'. The zsql method must be passed this id to access his stuff. This is all fine and good, A script(python) method could provide this to the zsql method behind the scenes without any great issue. The problem comes in when the user attempts to access this zsql method from via its url. Going this route he could pretty easily supply and arbitrary id and get access to information that he shouldn't have. This assumes that the user is aware of or can guess the name of the zsql method. This isn't enough of a protection in my mind. I am sorry if I wasn't super coherent in this post, I had a very long day and late night last night. Thanks for the input, Eric __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
Lets take simple example, assume that each user has an id that is keyed to his 'stuff'. The zsql method must be passed this id to access his stuff. This is all fine and good, A script(python) method could provide this to the zsql method behind the scenes without any great issue. The problem comes in when the user attempts to access this zsql method from via its url. Going this route he could pretty easily supply and arbitrary id and get access to information that he shouldn't have.
Yes, that would be a problem... so don't do it that way. :-) Instead, have Zope provide you the name of the user from its authentication machinery. That's *much* harder to spoof. To get this, cook up a Python script called get_user and use this for the code: ---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ---- Now include a call to get_user() when you need to pass in the username as a parameter to your query. HTH, Dylan
On Thu, 2003-10-09 at 13:36, Eric Merritt wrote:
Lets take simple example, assume that each user has an id that is keyed to his 'stuff'. The zsql method must be passed this id to access his stuff. This is all fine and good, A script(python) method could provide this to the zsql method behind the scenes without any great issue. The problem comes in when the user attempts to access this zsql method from via its url. Going this route he could pretty easily supply and arbitrary id and get access to information that he shouldn't have.
Yes, that would be a problem... so don't do it that way. :-)
Instead, have Zope provide you the name of the user from its authentication machinery. That's *much* harder to spoof.
To get this, cook up a Python script called get_user and use this for the code:
---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ----
Now include a call to get_user() when you need to pass in the username as a parameter to your query.
Any reason why you shouldn't just use <dtml-var AUTHENTICATED_USER> as a parameter to your SQL query? just curious...
On Thu, 2003-10-09 at 15:54, Erik Myllymaki wrote:
---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ---- Any reason why you shouldn't just use <dtml-var AUTHENTICATED_USER> as a parameter to your SQL query?
AUTHENTICATED_USER is deprecated because the SecurityManager object is a far more secure source of authentication information. Anyway, once you've set it up, get_user() is way less typing than REQUEST.get('AUTHENTICATED_USER'). :-) HTH, Dylan
Instead, have Zope provide you the name of the user from its authentication machinery. That's *much* harder to spoof.
To get this, cook up a Python script called get_user and use this for the code:
---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ----
Now include a call to get_user() when you need to pass in the username as a parameter to your query.
Thanks! I don't know why this didn't occure to me. It does however make good sense. Thanks for the info, I do have one more question though. Can I add to the user information? At some point I will need to look up the users numeric id to actually query the user data. I seem to have read something about attributes in the past, I may have to dig that info up. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
On Fri, 2003-10-10 at 06:14, Eric Merritt wrote:
Instead, have Zope provide you the name of the user from its authentication machinery. That's *much* harder to spoof.
To get this, cook up a Python script called get_user and use this for the code:
---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ----
Now include a call to get_user() when you need to pass in the username as a parameter to your query.
Thanks! I don't know why this didn't occure to me. It does however make good sense. Thanks for the info, I do have one more question though.
Can I add to the user information?
It's not quite as easy to add properties to user objects as it is with other objects. There's no TTW interface, but it can be done programmatically... more importantly, there are other options. For example, you could create a folder for each user that has their username as its id. That folder could then store the userid property. Looking up the id might then be as easy as: context[get_user()].userid Having these folders may allow for some nice Acquisition magic too. Depending on the number of users you have, the easiest thing might be to store a username:userid mapping somewhere and resolve from that, eg: ----- my_map = {'bob':27, 'sally':38. ...} return my_map.get(get_user()) ----- HTH, Dylan
It's not quite as easy to add properties to user objects as it is with other objects. There's no TTW interface, but it can be done programmatically... more importantly, there are other options.
For example, you could create a folder for each user that has their username as its id. That folder could then store the userid property. Looking up the id might then be as easy as:
context[get_user()].userid
Having these folders may allow for some nice Acquisition magic too.
Depending on the number of users you have, the easiest thing might be to store a username:userid mapping somewhere and resolve from that, eg:
----- my_map = {'bob':27, 'sally':38. ...} return my_map.get(get_user()) -----
Thats true, the ids will be stored in a rdbms table so its probably easiest to just do a join between the user table and whatever table that I am quering on. Perhaps I could just kick the id into the session the first time I have to use it and from then on just pull it from there. There are allot of ways to do it. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
Hi All, I am new to zope,have installed it and taking review of it to develop web apps. I installed zope in /usr/local/zope/Zope-2.6.x I added few Products in the dir $HOME_ZOPE/var/pthon/Products Specially CMF i added,after making link to the same directory. And then i restarted zope and got the CMF in my ZMI listing. Same thing i try with plone but it is not coming in my ZMI interface . Please help me . Thanks in advance . Rajeev -- Rajeev Sharma Netcore Solutions Pvt. Ltd 402,Peninsula chambers Morarjee Mills Comp Ganpatrao Kadam Marg Mumbai 400 013 India. Tel:+91(22)56628000 EXT-128 ---------------------------------------------------------------- NETCORE SOLUTIONS *** Ph: +91 22 5662 8000 Fax: +91 22 5662 8134 MailServ: Email, IM, Proxy, Firewall, Anti-Virus, LDAP Fleximail: Mail Storage, Management and Relaying http://netcore.co.in Emergic Freedom: Linux-based Thin Client-Thick Server Computing http://www.emergic.com BlogStreet: Blog Profiles, RSS Ecosystem, Blog Tops, Search http://www.blogstreet.com Rajesh Jain's Weblog on Technology: http://www.emergic.org ----------------------------------------------------------------
On Sat, 2003-10-11 at 07:41, Rajeev Sharma wrote:
I added few Products in the dir $HOME_ZOPE/var/pthon/Products Specially CMF i added,after making link to the same directory. And then i restarted zope and got the CMF in my ZMI listing.
Same thing i try with plone but it is not coming in my ZMI interface .
Do you see Plone listed in /Control_Panel/Products? If you open it from there, do you see any tracebacks? Without specific information, it's going to be hard for anyone to do much more than refer you to the installation documents. Dylan
participants (4)
-
Dylan Reinhardt -
Eric Merritt -
Erik Myllymaki -
Rajeev Sharma