[Zope] protecting users from hostile authors

marc lindahl marc@bowery.com
Fri, 24 Aug 2001 14:00:59 -0400


Well, one way is to have reviewers reviewing material - labor intensive but
a solution.  CMF has this built in (cmf.zope.org)

> From: "Kyler B. Laird" <laird@ecn.purdue.edu>
> Date: Fri, 24 Aug 2001 12:39:12 -0500
> To: zope@zope.org
> Subject: [Zope] protecting users from hostile authors
> 
> 
> We're in the process of building a cluster (just
> installed 8 machines) for serving a bunch (tens
> of thousands) of users.  Many/most of these
> people will also be authors.  A single (X.500-
> based) authentication system will be used for
> most everything.
> 
> I'm trying to get a handle on what policy I want
> to use in order to keep authors from doing Bad
> Things to authenticated users who visit their
> pages.
> 
> Looking around on Zope.org, I realized that this
> might already be addressed.  Is there anything
> that prevents me (as a Zope community member
> with authoring privileges on zope.org) from
> luring users who have already authenticated with
> Zope.org to come look at my pages, and then
> running arbitrary commands with their
> privileges?
> 
> Anyone else grappling with this situation?  I'm
> trying to decide how to set policy so that users
> are reasonably safe, but authors still have the
> freedom to create Cool Stuff.  There will most
> certainly be multiple classes of authors - those
> who can act with the authenticated user's
> privileges and those who can not.  I'm not quite
> sure how to implement that yet, though.
> 
> I'm also concerned about links to Bad Things,
> like "delete your home directory" disguised as
> "Get porn here!".
> 
> Any thoughts?  Has this already been hashed out
> somewhere that I should have found?
> 
> Thank you.
> 
> --kyler
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )