[Zope-dev] Security gap in "Manage users" & "Manage permissions" permissions (IMHO)

Andy Dustman adustman@comstar.net
Fri, 31 Mar 2000 15:07:11 -0500 (EST)


On Fri, 31 Mar 2000, Lalo Martins wrote:

> One thing I like about proxy roles is that you can't give a
> proxy role for a role you don't have.
> 
> Equally, IMHO when you have the "Change permissions" permission
> you shouldn't be able to grant permissions you don't have. And
> if we want completeness, when you have "Manage users" you
> shouldn't be able to give roles you don't have _except_ if
> you're Manager (because otherwise it would be impossible to
> create new roles...)
> 
> Is there a flaw in my reasoning?

It sounds pretty good to me. Maybe the way to do this is with a "Assign
other roles" permission: Allow the user to assign roles they aren't
assigned themselves. Then only give this permission to the Manager role.
Then when you manage users, if you are assigning a role you have, it
works, and if you don't have it, it only works if you have "Assign other
roles". Or maybe it should be "Assign any role" for emphasis.

I have been thinking about this problem a bit myself, because the project
I am working on will have users that need to manage other users, but not
necessarily have full access, and was coming to the conclusion that the
expedient way to do it was to subvert the system altogether (since I am
using GUF+MySQL). But if I can tie this into the standard Zope user
management stuff, all the better. 

-- 
andy dustman       |     programmer/analyst     |      comstar.net, inc.
telephone: 770.485.6025 / 706.549.7689 | icq: 32922760 | pgp: 0xc72f3f1d
"Therefore, sweet knights, if you may doubt your strength or courage, 
come no further, for death awaits you all, with nasty, big, pointy teeth!"