Hello Chris,
From chrism@zope.com Fri Mar 22 16:51 MET 2002 Subject: Re: [Zope] set accessrule Date: Fri, 22 Mar 2002 10:56:23 -0500
There is a simple answer to this question, but I'm not sure you're going to like it. ;-) Don't solely use access rules for security. Instead, use the Zope security framework. Protect the folder with a permission.
It seems I have only 2 choices: 1.) I don't want to create a zope userid for each web user, because we have a proprietary product for authorization. I will use a generic zope userid for example web1. I protect my folder: only manager and zope user web1 can see this folder My folder has a access rule: It calls our proprietary product for authorization and if it grants access it will give the enduser the role web1. This could be done only if set access rule is done before zope checks for the permission, because otherwise the zope login prompt would appear first. Is that true ? 2.) If all this is not possible, I guess I have to change the sources of set access rule (or to create a product "mysetaccessrule") to enable _SUPPRESS_ACCESSRULE for role of manager only. Would this solve my problem ? 3.) The best would be if set accessrule could be improved to use _SUPPRESS_ACCESSRULE for role manager only. But I don't know if there are design issues making set access rule still not complete secure. I could try to do this, but I dont't know how to submit a proposal for a software change to a zope feature. With kind regards, Juergen Berger
----- Original Message ----- From: <jbr@FIZ-Karlsruhe.DE> To: <zope@zope.org> Sent: Thursday, March 21, 2002 6:38 PM Subject: Re: [Zope] set accessrule
Hello,
summary of set access rule with zope 2.5.0
1.) for a folder testfolder I have set "Set Access Rule" to python script accessHB to limit access
2.) as Chris McDonough has shown (thanks !) accessHB is working like:
From chrism@zope.com Thu Mar 21 19:21 MET 2002 Subject: Re: [Zope] set accessrule Date: Thu, 21 Mar 2002 13:26:28 -0500
Hi,
I wouldn't bother to try to pass in REQUEST (the caller for access rules does not pass any arguments in to the script). Instead, get the REQUEST from context ala context.REQUEST. I think the test tab populates REQUEST for you via magic that doesn't happen when an access rule is called.
Your script becomes:
----------------------------------------- ## Script (Python) "accessruleHB" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters= ##title=
if context.REQUEST.SESSION.get('MySessionId') == None: context.REQUEST.RESPONSE.redirect('/rootfolder') -----------------------------------------
But there is a security problem with "Set Access Rule":
Any user even the unauthorized can get access to the folder (which is restricted by set accessrule) if he adds _SUPPRESS_ACCESSRULE to the url:
http: ... testfolder/_SUPPRESS_ACCESSRULE
gives access to restricted folder testfolder.
This may be a bug or has been done to get access in case of emergency, but it makes set accessrule (more or less) useless.
What can I do to prevent Zope to give access by adding _SUPPRESS_ACCESSRULE ?
Do I have to modify the programmes which implement set access rule ? I even don't know where these programmes are located.
With kind regards, Juergen Berger
OK, I think this is one of those cases where I have to say that I think you need to blow up what you've got and rethink this. Zope's security machinery is pretty comprehensive and if you can't extend it to do what you want, usually it probably means you're doing something wrong. ;-) While what you're doing may be expedient now, it sounds like it could grow into something that is very hard to maintain. I suggest writing a new user folder implementation or changing an existing user folder implementation. There are also "pluggable" user folder implementations such as Ex User Folder and LoginManager, neither of which I've used.
It seems I have only 2 choices:
1.) I don't want to create a zope userid for each web user, because we have a proprietary product for authorization. I will use a generic zope userid for example web1.
I protect my folder: only manager and zope user web1 can see this folder My folder has a access rule: It calls our proprietary product for authorization and if it grants access it will give the enduser the role web1.
This could be done only if set access rule is done before zope checks for the permission, because otherwise the zope login prompt would appear first. Is that true ?
2.) If all this is not possible, I guess I have to change the sources of set access rule (or to create a product "mysetaccessrule") to enable _SUPPRESS_ACCESSRULE for role of manager only.
Would this solve my problem ?
3.) The best would be if set accessrule could be improved to use _SUPPRESS_ACCESSRULE for role manager only.
But I don't know if there are design issues making set access rule still not complete secure.
I could try to do this, but I dont't know how to submit a proposal for a software change to a zope feature.
With kind regards, Juergen Berger
----- Original Message ----- From: <jbr@FIZ-Karlsruhe.DE> To: <zope@zope.org> Sent: Thursday, March 21, 2002 6:38 PM Subject: Re: [Zope] set accessrule
Hello,
summary of set access rule with zope 2.5.0
1.) for a folder testfolder I have set "Set Access Rule" to python
script
accessHB
to limit access
2.) as Chris McDonough has shown (thanks !) accessHB is working
like:
From chrism@zope.com Thu Mar 21 19:21 MET 2002 Subject: Re: [Zope] set accessrule Date: Thu, 21 Mar 2002 13:26:28 -0500
Hi,
I wouldn't bother to try to pass in REQUEST (the caller for access
rules
does not pass any arguments in to the script). Instead, get the REQUEST from context ala context.REQUEST. I think the test tab populates REQUEST for you via magic that doesn't happen when an access rule is called.
Your script becomes:
----------------------------------------- ## Script (Python) "accessruleHB" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters= ##title=
if context.REQUEST.SESSION.get('MySessionId') == None: context.REQUEST.RESPONSE.redirect('/rootfolder') -----------------------------------------
But there is a security problem with "Set Access Rule":
Any user even the unauthorized can get access to the folder (which is restricted by set accessrule) if he adds _SUPPRESS_ACCESSRULE to the url:
http: ... testfolder/_SUPPRESS_ACCESSRULE
gives access to restricted folder testfolder.
This may be a bug or has been done to get access in case of emergency, but it makes set accessrule (more or less) useless.
What can I do to prevent Zope to give access by adding _SUPPRESS_ACCESSRULE ?
Do I have to modify the programmes which implement set access rule ? I even don't know where these programmes are located.
With kind regards, Juergen Berger
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
A solution might be to plug in your own authentication mechanism that defers to this third party product. This should not be much more difficult then setting up the site rule. You might want to take a look at the CookieCrumbler (part of the CMF) for a simple implementation of an authentication plug in. You might even be able to start with that code as a base and yank out the cookie stuff and sub in calls to your third party tool. hth, -Casey jbr@FIZ-Karlsruhe.DE wrote:
Hello Chris,
From chrism@zope.com Fri Mar 22 16:51 MET 2002 Subject: Re: [Zope] set accessrule Date: Fri, 22 Mar 2002 10:56:23 -0500
There is a simple answer to this question, but I'm not sure you're going to like it. ;-) Don't solely use access rules for security. Instead, use the Zope security framework. Protect the folder with a permission.
It seems I have only 2 choices:
1.) I don't want to create a zope userid for each web user, because we have a proprietary product for authorization. I will use a generic zope userid for example web1.
I protect my folder: only manager and zope user web1 can see this folder My folder has a access rule: It calls our proprietary product for authorization and if it grants access it will give the enduser the role web1.
This could be done only if set access rule is done before zope checks for the permission, because otherwise the zope login prompt would appear first. Is that true ?
2.) If all this is not possible, I guess I have to change the sources of set access rule (or to create a product "mysetaccessrule") to enable _SUPPRESS_ACCESSRULE for role of manager only.
Would this solve my problem ?
3.) The best would be if set accessrule could be improved to use _SUPPRESS_ACCESSRULE for role manager only.
But I don't know if there are design issues making set access rule still not complete secure.
I could try to do this, but I dont't know how to submit a proposal for a software change to a zope feature.
With kind regards, Juergen Berger
----- Original Message ----- From: <jbr@FIZ-Karlsruhe.DE> To: <zope@zope.org> Sent: Thursday, March 21, 2002 6:38 PM Subject: Re: [Zope] set accessrule
Hello,
summary of set access rule with zope 2.5.0
1.) for a folder testfolder I have set "Set Access Rule" to python script accessHB to limit access
2.) as Chris McDonough has shown (thanks !) accessHB is working like:
From chrism@zope.com Thu Mar 21 19:21 MET 2002 Subject: Re: [Zope] set accessrule Date: Thu, 21 Mar 2002 13:26:28 -0500
Hi,
I wouldn't bother to try to pass in REQUEST (the caller for access rules does not pass any arguments in to the script). Instead, get the REQUEST from context ala context.REQUEST. I think the test tab populates REQUEST for you via magic that doesn't happen when an access rule is called.
Your script becomes:
----------------------------------------- ## Script (Python) "accessruleHB" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters= ##title=
if context.REQUEST.SESSION.get('MySessionId') == None: context.REQUEST.RESPONSE.redirect('/rootfolder') -----------------------------------------
But there is a security problem with "Set Access Rule":
Any user even the unauthorized can get access to the folder (which is restricted by set accessrule) if he adds _SUPPRESS_ACCESSRULE to the url:
http: ... testfolder/_SUPPRESS_ACCESSRULE
gives access to restricted folder testfolder.
This may be a bug or has been done to get access in case of emergency, but it makes set accessrule (more or less) useless.
What can I do to prevent Zope to give access by adding _SUPPRESS_ACCESSRULE ?
Do I have to modify the programmes which implement set access rule ? I even don't know where these programmes are located.
With kind regards, Juergen Berger
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (3)
-
Casey Duncan -
Chris McDonough -
jbr@FIZ-Karlsruhe.DE