[Zope-PTK] Membership Design

Chris Withers chrisw@nipltd.com
Thu, 03 Aug 2000 14:07:41 +0100


Bill Anderson wrote:
> So, out of  curiousity, and as a proof of concept. I re-implemented the member mix-in, and
> persistenusersource provided in the membership product.

Cool :-)

> I put roles, domains, listed, and password onto a propertysheet (of the DataSkin variety).
> The password is stored encrypted. There is a 'downside' to this, in that you can't just
> send someone their password. On the other hand, that means the password isn't in
> cleartext.

In the most secure circumstances, it's good if you _can't_ send someone
their password, 'cos it proves you don't haev access to it yourself ;-)

> Just for fun, I decided to add a members-only catalog; one that only members are index
> into. And followed up with the CatalogTrigger addon. Now, I have the capability to search
> for a user, and sen them a _new_ password if they should forget theirs.

Sounds great :-)

> The aspect of this that concerns me, is the roles being in a propertysheet. Just how
> accessible to the user are these? IIUC, they can only change the properties if they have
> permission. But this would theoretically mean they can change their own roles. 

Erk, bad :( Is there any way you can protect this propertysheet with a
seperate (or the 'Manager') roll?

> My concern is that they
> could write DTML that changes these properties, giving themselves the manager role, for
> instance.
> Now, on sites where members/users don't get to write DTML, this is clearly a lesser issue.

They wouldn't even need to write DTML, they can probably do the change
through urls with arguments appended...

> BTW, Yes, I know about the __ thing, that's how the previous/current release operates. My
> problem has been in modifying the roles from Zope. Given the lack of response on the
> lists, I get the feeling I'm not alone in this. :/

I think I missed these posts :S

cheers,

Chris