[Zope-dev] Owner Role -- clarification needed

Butch Landingin butchland@yahoo.com
Tue, 27 Jul 1999 08:35:36 -0700 (PDT)


Hi,

I'm playing around with building a cookie-based authentication Zope product, and 
I've been learning a lot about users, roles, local roles and proxy roles ...
So I was wondering if my understanding of the proposed Owner role (given that
documentation is very scanty) is correct, incorrect, or simply needs clarification.

The thing is, my setup is working, but who knows what bugs may lie just around 
the corner, merely because I misunderstand the concepts... (and since
I'm dealing with an authentication product, is *_specially_* important).

I'm using the Owner role in the context of allowing a user to change his/her 
passwords. I suppose I could create another role to fulfill this, so its really
not a big deal if I shouldn't be using the Owner role for this purpose:

So this is my setup :

     1. For a given Folder for which I am creating my cookie-based UserFolder 
        (named acl_users, of course) I create a role known as a cookieLoggedUser. 
        All users that are created in acl_users have the cookieLoggedUser 
        role automatically added to their roles profile (and cannot be deleted).

     2. In this Folder, there are dtml methods to allow you to login/logout etc. 
        (they are working fine and are of no importance to the issue at hand)
        When users log in, they acquire the role of cookieLoggedUser (along with 
        the other roles defined for their user id, of course).
 
     3. the acl_users permissions are modified to allow the 'Owner' role
        the privilege to "manage_users". (Is this advisable or is this a big 
        security hole?)

     4. I have a DTML method that displays the Change Password form (it submits
        the page to itself and I use a hidden form variable to check whether 
        it should process the form or not). 

     5. This method has its permissions
        set so that only users with the cookieLoggedUser role can 'view' it or
        'access contents information'. This means that Anonymous users can't see
        this page unless they log in first, in which case they acquire the
        cookieLoggedUser role. 

     6. The processing DTML code calls the acl_users methods to change the
        password (and has safeguards against logged-in users from changing
        anybody else's passwords except their own). Because they access
        the acl_user's methods which require 'manage_user' privileges, 
        I gave this method a proxy role of 'Owner' so that it can execute
        these privileged methods.

Some notes:

     a. I don't *_have_* to use the Owner role for this purpose. (I could easily
        create another role expressly just for accessing the acl_users privileged
        methods and my system would still work) but I do want to understand
        if the 'Owner' role is meant to be used in this context or not.

     b. If you give a user the Owner role, (along with the view management 
        screens, of course), you allow him/her the privilege to 'manage_users'.
        My understanding is that you normally *_dont_* give this role out to
        any ordinary user? 
  
        If this is incorrect, then my whole theory sinks down the drain...
        OTOH, if I'm incorrect, then just what the heck is the 'Owner' role for?
        
     c. I've thought about possible security holes and think (given the levels
        of security HTTP protocols can give, of course) it's fairly secure. It
        could be made more secure by encrypting the cookie better and providing
        a secure channel (i.e. SSL).

     d. I'd really like to hear the opinions of those in the know, especially about
        how we should use the 'Owner role' (of course, we can use it for any purpose
        we want to, but I want to know the *_right_* way to use it, i.e., the way it's
        meant to be used).
 
Thanks in advance,

Butch Landingin
butchland@yahoo.com
       
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com