[Zope] Re: Re: [Security] How to encrypt a Zope oid ?

Terry Hancock hancock at anansispaceworks.com
Mon Sep 15 10:25:27 EDT 2003


On Monday 15 September 2003 02:24 am, Sinclair wrote:
> OK, but with Zope, you can build a application controller who call decode
> parameters and call the real zope object. Or a simple page page controller
> who encrypt his parameters :
> 
> Example : a document has url :
>  $ZOPE/.../document_manager/document_37.
> 
> I wish the displayed url looks like :
> $ZOPE/.../document_manager?document=k2316fge54dsgb51v3vsdv4
> 
> That is the document_manager who translates an unreadable parameter to
> document real url.

Then, first of all, you should ensure that no one *can* directly
access "document_37" by restricting viewing to say, management
roles only.  Then, "document_manager" is a python script that
uses a proxy role (i.e. *it* has the permission required to view
document_37).  This python script decodes the given URL
to decide what to return and returns that.

The encoding scheme is unspecified, of course.  I'm woefully ignorant
of cryptography, but it seems to me that this is the sort of thing that GPG
can do (i.e. create a reversible encoding of a string).  But there may be
a simpler solution to that.

Frankly, though, I can't see that this is buying you much security in
real life.  If the password protection on "document_37" is good enough
to be useful, then you should be able to rely on it (and avoid proxy roles).
If it's not good enough, then merely obfuscating the location like this
seems a bit inadequate.  Without the correct password, on a properly
configured Zope server, I'm pretty sure that the user will get the exact
same error message if they can't access document_37 -- no matter 
whether it is because it doesn't exist or because they don't have
permission to view it.

Cheers,
Terry

--
Terry Hancock ( hancock at anansispaceworks.com )
Anansi Spaceworks  http://www.anansispaceworks.com



More information about the Zope mailing list