[Zope-dev] LDAPRoleTwiddler / BasicUserFolder

Shane Hathaway shane@zope.com
Thu, 17 Oct 2002 11:10:50 -0400


Jens Vagelpohl wrote:
> being explicit is almost always better. you are relying on internal 
> magic and it's not apparent from looking at the code you wrote.
> 
> the validate implementation in the LDAPRoleExtender is the "most 
> correct" one. shane worked on it for a while to make sure it does the 
> most correct thing possible, and if anyone knows about the vagaries of 
> acquisition/security and all its possible permutations it is him.

:-) Well, I tried to get it right, but I'm sure I could have missed 
something.

> On Thursday, Oct 17, 2002, at 08:37 US/Eastern, Dirk Datzert wrote:
> 
>> Hi Jens,
>>
>>> why is that code no longer referring to the real userfolder anymore? it
>>> should not make calls to authorize/identify/authorize on "self" but on
>>> the LDAPUserFolder it is using as the user source.
>>>
>>
>> self.identify() should be the same as if getLUF().identify() since 
>> LDAPUserFolder and LDAPRoleTwiddler both inherited this from 
>> BasicUserFolder.
>>
>> self.authenticate() does a self.getUser() which refers to 
>> getLUF().getUser() and does twiddling in one step and return the right 
>> user-object which the API would expect.
>>
>> I think that self.authorize(user,...) is better than 
>> self.getLUF().authorize(user,...)
>> because the authorize does the following in 1st line:
>>
>> def authorize(self, user,... ): (inherited from BasicUserFolder)
>>   user = getattr(user, 'aq_base', user).__of__(self)
>>
>> this would be different for self.authorize, where self would be the 
>> LRT and
>> self.getLUF().authorize() where self would be the LUF.
>>
>> The user is seen in 2 different contexts by .__of__(self) .
>>
>> Maybe I'm think too complicated, Your opinion ?

The idea behind LDAPRoleExtender is to give the user global roles if the 
user accesses a context where extra roles would be given.  In order to 
grant global roles, the context of the user is always the 
LDAPUserFolder, not the role extender.

Role computation applied this way has a nasty side effect, 
unfortunately: if the user is allowed to write any kind of script, the 
user can access anything protected by the supposedly local roles.  Don't 
ever grant the "Manager" role using LDAPRoleExtender unless you fully 
trust the user.

I don't know anything about LDAPRoleTwiddler.  But I would recommend you 
install the VerboseSecurity product, which will tell you a lot more 
about the Unauthorized error.

And if you're interested, I know how we can make LDAPRoleExtender much 
safer, based on conversations with Jens.

Shane