[Zope-dev] copy/paste security
Christopher N. Deckard
cnd@ecn.purdue.edu
Wed, 1 May 2002 15:57:30 -0500
Hi,
It is common knowledge that we can restrict access
to an object by taking away many of the permissions
from the security manager in the ZMI. Especially
in the case of some objects like Oracle database
connections, you don't want other people to be
able to snag your "connect string" which contains
username and password information.
However, if a user has access to any folder on the
system, they can programatically (and in some
cases use the ZMI) copy the objects to anohter
location. For example, if a user can view the
management screens in a folder, they can copy an
object, paste it to another location, give his
self Manager local roles, and then view the "connect
string". This works basically for every object.
The problem is the CopySupport._canCopy method,
which always returns 1 (true). It looks like this
should be overridden for special products, but the
base functionality should do some basic
permission checking to determine if the object is
copyable or should be copied.
Below is a diff for OFS/CopySupport which adds a
check to _canCopy to look for the "Access contents
information" permission.
-Chris
--
--------------------------------------------------------------------
Christopher N. Deckard | Lead Web Systems Developer
cnd@ecn.purdue.edu | Engineering Computer Network
http://www.ecn.purdue.edu/ | Purdue University
---- zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)"\005w') ---
--- CopySupport.py.orig Wed May 1 14:59:46 2002
+++ CopySupport.py Wed May 1 15:02:34 2002
@@ -382,7 +382,9 @@
def _canCopy(self, op=0):
"""Called to make sure this object is copyable. The op var
is 0 for a copy, 1 for a move."""
- return 1
+ if self.REQUEST.AUTHENTICATED_USER.has_permission('Access contents information', self):
+ return 1
+ return 0
def _notifyOfCopyTo(self, container, op=0):
"""Overide this to be pickly about where you go! If you dont