[Zope-dev] Re: I want to fix App.Management.Tabs.manage_workspace

Tres Seaver tseaver at zope.com
Tue Apr 20 22:55:31 EDT 2004 

Chris Withers wrote:
> Hi there,
> 
> App.Management.Tabs.manage_workspace sucks as I've described in
> http://zope.org/Collectors/Zope/1286:
> 
> 1. manage_workspace is only protected by the Authenticated role, and 
> that is done directly, not even through a permission.

It is designed to work "above" the permission structure, by showing you 
only those tabs you are allowed to see.  Note that this means that you 
can build an application which exposes the ZMI to non-manager users, as 
long as that application does not assign them permissions corresponding 
to the "manager" views.

> 2. self.filtered_manage_roles then limits the options of what can be 
> shown, which might end up being nothing. But, because the method is only 
> protected by 'Authenticated', no chance is given to specify other user 
> credentials (say, from a user folder higher up in the tree) which might 
> be able to see something.

If you are already authenticated, then somebody (likely the publisher) 
has found a user who matches your credentials;  that is who you are, for 
the duration of the request.  It would be a *terrible* idea to make this 
one spot subvert the security machinery this way.  Nothing else in Zope 
does this.

> 3. There's a bare try/except which masks errors. From what I can see, it 
> should ONLY catch IndexError's.

As Casey says, "kill it dead".

> 4. The "raise TypeError" could do with some explanation.

The TypeError breaks out of what would otherwise be either infinite 
recursion (via a bug in some product), or else malicious subversion.  No 
"real" ZMI tab may have 'manage_workspace' as its action.

> 5. The Unauthorized could raise a more helpful message "You are not 
> authorized to view an of this object's management itnerface"

-0.

> What do people feel about the right way to solve this? 3,4 and 5 I'm 
> comfortable with fixing, but I'm stumped as to what "the right thing" is 
> to do on 1 and 2 which combine to create a thorny problem.
> 
> The semantics I want are: "Show the 1st management tab the user is 
> allowed to see, if they're not allowed to see anything, check if a user 
> of the same name further up the userfolder tree can see anything"

-1, as above, to checking up the tree.  Your credentials identify you, 
period.  Designing for the degenerate case where mutilple users with the 
same login and password exist at different "depths" from the root, but 
with different roles, is not a good plan.

> Is that right? If so, how do I go about implementing it? Finally, what 
> branches should I do this on?

Definitely not the 2.6 branch;  it is closed to anything but urgent 
security fixes.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

More information about the Zope-Dev mailing list