[Zope] set accessrule
Casey Duncan
casey@zope.com
Fri, 22 Mar 2002 11:59:37 -0700
A solution might be to plug in your own authentication mechanism that
defers to this third party product.
This should not be much more difficult then setting up the site rule.
You might want to take a look at the CookieCrumbler (part of the CMF)
for a simple implementation of an authentication plug in.
You might even be able to start with that code as a base and yank out
the cookie stuff and sub in calls to your third party tool.
hth,
-Casey
jbr@FIZ-Karlsruhe.DE wrote:
> Hello Chris,
>
> > From chrism@zope.com Fri Mar 22 16:51 MET 2002
> > Subject: Re: [Zope] set accessrule
> > Date: Fri, 22 Mar 2002 10:56:23 -0500
> >
> > There is a simple answer to this question, but I'm not sure you're going to
> > like it. ;-) Don't solely use access rules for security. Instead, use the
> > Zope security framework. Protect the folder with a permission.
>
> It seems I have only 2 choices:
>
> 1.) I don't want to create a zope userid for each web user, because we have a
> proprietary product for authorization. I will use a generic zope userid
> for example web1.
>
> I protect my folder: only manager and zope user web1 can see this folder
> My folder has a access rule: It calls our proprietary product for
> authorization and if it grants access it will give the enduser the
> role web1.
>
> This could be done only if set access rule is done before zope checks for the
> permission, because otherwise the zope login prompt would appear first.
> Is that true ?
>
> 2.) If all this is not possible, I guess I have to change the sources
> of set access rule (or to create a product "mysetaccessrule")
> to enable _SUPPRESS_ACCESSRULE for role of manager only.
>
> Would this solve my problem ?
>
> 3.) The best would be if set accessrule could be improved to
> use _SUPPRESS_ACCESSRULE for role manager only.
>
> But I don't know if there are design issues making set access rule still not
> complete secure.
>
> I could try to do this, but I dont't know how to submit a proposal for a
> software change to a zope feature.
>
>
> With kind regards, Juergen Berger
>
> >
> > ----- Original Message -----
> > From: <jbr@FIZ-Karlsruhe.DE>
> > To: <zope@zope.org>
> > Sent: Thursday, March 21, 2002 6:38 PM
> > Subject: Re: [Zope] set accessrule
> >
> >
> > > Hello,
> > >
> > > summary of set access rule with zope 2.5.0
> > >
> > > 1.) for a folder testfolder I have set "Set Access Rule" to python script
> > accessHB
> > > to limit access
> > >
> > > 2.) as Chris McDonough has shown (thanks !) accessHB is working like:
> > >
> > >
> > > > From chrism@zope.com Thu Mar 21 19:21 MET 2002
> > > > Subject: Re: [Zope] set accessrule
> > > > Date: Thu, 21 Mar 2002 13:26:28 -0500
> > > >
> > > > Hi,
> > > >
> > > > I wouldn't bother to try to pass in REQUEST (the caller for access
> > rules
> > > > does not pass any arguments in to the script). Instead, get the
> > REQUEST
> > > > from context ala context.REQUEST. I think the test tab populates
> > REQUEST
> > > > for you via magic that doesn't happen when an access rule is called.
> > > >
> > > > Your script becomes:
> > > >
> > > > -----------------------------------------
> > > > ## Script (Python) "accessruleHB"
> > > > ##bind container=container
> > > > ##bind context=context
> > > > ##bind namespace=
> > > > ##bind script=script
> > > > ##bind subpath=traverse_subpath
> > > > ##parameters=
> > > > ##title=
> > > >
> > > > if context.REQUEST.SESSION.get('MySessionId') == None:
> > > > context.REQUEST.RESPONSE.redirect('/rootfolder')
> > > > -----------------------------------------
> > > >
> > >
> > > But there is a security problem with "Set Access Rule":
> > >
> > > Any user even the unauthorized can get access to the folder (which
> > > is restricted by set accessrule) if he adds _SUPPRESS_ACCESSRULE to the
> > url:
> > >
> > > http: ... testfolder/_SUPPRESS_ACCESSRULE
> > >
> > > gives access to restricted folder testfolder.
> > >
> > > This may be a bug or has been done to get access in case of emergency, but
> > > it makes set accessrule (more or less) useless.
> > >
> > > What can I do to prevent Zope to give access by adding
> > > _SUPPRESS_ACCESSRULE ?
> > >
> > > Do I have to modify the programmes which implement set access rule ?
> > > I even don't know where these programmes are located.
> > >
> > > With kind regards, Juergen Berger
> >
> >
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>
>