[Zope] Re: major problems placing authentication on an extranet site-security flaw?

Michael Vartanyan pycry at doli.biz
Fri Feb 10 18:20:08 EST 2006 

In the very beginning of my Zope career, I once "shot myself in the 
foot" with a very stupid thing... I kept it to myself then but if we are 
talking about Zope security settings and usability of the ZMI at the 
same time, perhaps it is an ideal place to raise this issue.

If you use the famous manage_access page with all the checkboxes to set 
permissions on an object, it then calls manage_changePermissions to 
using POST method to apply your settings. The result is that 
http://your_object_url/manage_changePermissions (without any parameters) 
stays in your browser visited url history. Now imagine what happens if 
you click this url by mistake being logged as someone with "Change 
permissions" permission.

I guess changing the form method to GET is not going to be liked by 
browsers that put additional restrictions on URL length. So I would 
propose to introduce a basic request sanity check in the 
manage_changePermissions itself. I cannot think of any use for resetting 
all permissions and acquisition for everyone, so the easiest way to do 
that is to simply check that at least something exists in the form:

...
    def manage_changePermissions(self, REQUEST):
        """Change all permissions settings, called by management screen.
        """
 >>    if  len(REQUEST.form)<2: raise ...
        self._isBeingUsedAsAMethod(REQUEST, 0)
        valid_roles=self.valid_roles()
        indexes=range(len(valid_roles))
        have=REQUEST.has_key
        permissions=self.ac_inherited_permissions(1)
        fails = []
...

or something like that.


J Cameron Cooper wrote:

> michael nt milne wrote:
>
>> Well I said it was over and out but I have to respond to this latest 
>> post. I appreciate the help here and will be trying out some of the 
>> suggestions. Basically though, Zope permissions and security could be 
>> made a lot more usable. It's far too technically focused and this is 
>> the opinion of a few others as well. The whole ZMI interface could be 
>> put through a usability re-design to be honest and that's not even to 
>> comtemplate the security areas.
>
>
> The ZMI is well known to be geeky. "For developers, by developers" 
> might be its motto. If you have some concrete suggestions, by all 
> means put them forth. Patches are even better.
>
> Anyway, ACLs are ACLs. And if you don't know what you're doing, you 
> can get into trouble real fast. Ever tried managing file security on a 
> Windows machine with ACLs?
>
> CMF (this includes Plone) provides a way to manage this complexity: 
> workflow states. Each workflow has a set of permissions it manages, 
> and a setting of these for each state. This is much more easily 
> comprehended than infinite fiddling with the ZMI Security tab.
>
> Also, as I recall, there was a "private plone site" howto on 
> plone.org; dunno what happened to it.
>
>         --jcc

More information about the Zope mailing list