[Zope] The Ascetic Superuser

[ethan mindlace fremen]

Chris Withers wrote:

> Well, okay, let me rephrase the question:
> Why is it bad for the bootstrap user to own anything?
> It used to be considered okay before Zope 2.2, so was has been
> changed/discovered that makes this now such a bad idea that despite
> loads of newbie pain and confusion, it's still worth while/necessary?

Objects used to execute according to the permissions of the
AUTHENTICATED_USER or the proxy role.  "Ownership" only applied (for
execution purposes) if you explicitly set the proxy role to "Owner".

This was a Very Bad Thing (tm) because once you authenticated as
superuser you could view a random HTML page on the web/in your inbox
that had a little javascript thingy that went and wiped out your entire
site or <insert maliciousness here>

Now every object excecutes according to the permision of the owner,
*not* the viewer. It can also run as a proxy role.  The
super-bootstrap-user lives outside of "normal" zope authentication & has
permission to do anything save that which NotEvenGodShouldDo. 
Therefore, it shouldn't own objects.

This is *quite* important, and needs to stay.  I don't know how to
emphasize enough that this is a well thought out correction to an
extremely deadly class of security problems that still (afaik) plagues
many "other" through-the-web management systems.

The newbie pain, however, could probably be mitigated- don't call it a
Super user, since it hardly deserves the S or the cape.  Have a user in
the default install.  Something like that.  Patches accepted.

-- 
ethan mindlace fremen
Zopatista Community Liason
Abnegate I!