[Zope-dev] Owner Role -- clarification needed
Butch Landingin
butchland@yahoo.com
Tue, 27 Jul 1999 08:35:36 -0700 (PDT)
Hi,
I'm playing around with building a cookie-based authentication Zope product, and
I've been learning a lot about users, roles, local roles and proxy roles ...
So I was wondering if my understanding of the proposed Owner role (given that
documentation is very scanty) is correct, incorrect, or simply needs clarification.
The thing is, my setup is working, but who knows what bugs may lie just around
the corner, merely because I misunderstand the concepts... (and since
I'm dealing with an authentication product, is *_specially_* important).
I'm using the Owner role in the context of allowing a user to change his/her
passwords. I suppose I could create another role to fulfill this, so its really
not a big deal if I shouldn't be using the Owner role for this purpose:
So this is my setup :
1. For a given Folder for which I am creating my cookie-based UserFolder
(named acl_users, of course) I create a role known as a cookieLoggedUser.
All users that are created in acl_users have the cookieLoggedUser
role automatically added to their roles profile (and cannot be deleted).
2. In this Folder, there are dtml methods to allow you to login/logout etc.
(they are working fine and are of no importance to the issue at hand)
When users log in, they acquire the role of cookieLoggedUser (along with
the other roles defined for their user id, of course).
3. the acl_users permissions are modified to allow the 'Owner' role
the privilege to "manage_users". (Is this advisable or is this a big
security hole?)
4. I have a DTML method that displays the Change Password form (it submits
the page to itself and I use a hidden form variable to check whether
it should process the form or not).
5. This method has its permissions
set so that only users with the cookieLoggedUser role can 'view' it or
'access contents information'. This means that Anonymous users can't see
this page unless they log in first, in which case they acquire the
cookieLoggedUser role.
6. The processing DTML code calls the acl_users methods to change the
password (and has safeguards against logged-in users from changing
anybody else's passwords except their own). Because they access
the acl_user's methods which require 'manage_user' privileges,
I gave this method a proxy role of 'Owner' so that it can execute
these privileged methods.
Some notes:
a. I don't *_have_* to use the Owner role for this purpose. (I could easily
create another role expressly just for accessing the acl_users privileged
methods and my system would still work) but I do want to understand
if the 'Owner' role is meant to be used in this context or not.
b. If you give a user the Owner role, (along with the view management
screens, of course), you allow him/her the privilege to 'manage_users'.
My understanding is that you normally *_dont_* give this role out to
any ordinary user?
If this is incorrect, then my whole theory sinks down the drain...
OTOH, if I'm incorrect, then just what the heck is the 'Owner' role for?
c. I've thought about possible security holes and think (given the levels
of security HTTP protocols can give, of course) it's fairly secure. It
could be made more secure by encrypting the cookie better and providing
a secure channel (i.e. SSL).
d. I'd really like to hear the opinions of those in the know, especially about
how we should use the 'Owner role' (of course, we can use it for any purpose
we want to, but I want to know the *_right_* way to use it, i.e., the way it's
meant to be used).
Thanks in advance,
Butch Landingin
butchland@yahoo.com
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com