[Zope] set accessrule
jbr@FIZ-Karlsruhe.DE
jbr@FIZ-Karlsruhe.DE
Fri, 22 Mar 2002 17:42:39 +0100 (MET)
Hello Chris,
> From chrism@zope.com Fri Mar 22 16:51 MET 2002
> Subject: Re: [Zope] set accessrule
> Date: Fri, 22 Mar 2002 10:56:23 -0500
>
> There is a simple answer to this question, but I'm not sure you're going to
> like it. ;-) Don't solely use access rules for security. Instead, use the
> Zope security framework. Protect the folder with a permission.
It seems I have only 2 choices:
1.) I don't want to create a zope userid for each web user, because we have a
proprietary product for authorization. I will use a generic zope userid
for example web1.
I protect my folder: only manager and zope user web1 can see this folder
My folder has a access rule: It calls our proprietary product for
authorization and if it grants access it will give the enduser the
role web1.
This could be done only if set access rule is done before zope checks for the
permission, because otherwise the zope login prompt would appear first.
Is that true ?
2.) If all this is not possible, I guess I have to change the sources
of set access rule (or to create a product "mysetaccessrule")
to enable _SUPPRESS_ACCESSRULE for role of manager only.
Would this solve my problem ?
3.) The best would be if set accessrule could be improved to
use _SUPPRESS_ACCESSRULE for role manager only.
But I don't know if there are design issues making set access rule still not
complete secure.
I could try to do this, but I dont't know how to submit a proposal for a
software change to a zope feature.
With kind regards, Juergen Berger
>
> ----- Original Message -----
> From: <jbr@FIZ-Karlsruhe.DE>
> To: <zope@zope.org>
> Sent: Thursday, March 21, 2002 6:38 PM
> Subject: Re: [Zope] set accessrule
>
>
> > Hello,
> >
> > summary of set access rule with zope 2.5.0
> >
> > 1.) for a folder testfolder I have set "Set Access Rule" to python script
> accessHB
> > to limit access
> >
> > 2.) as Chris McDonough has shown (thanks !) accessHB is working like:
> >
> >
> > > From chrism@zope.com Thu Mar 21 19:21 MET 2002
> > > Subject: Re: [Zope] set accessrule
> > > Date: Thu, 21 Mar 2002 13:26:28 -0500
> > >
> > > Hi,
> > >
> > > I wouldn't bother to try to pass in REQUEST (the caller for access
> rules
> > > does not pass any arguments in to the script). Instead, get the
> REQUEST
> > > from context ala context.REQUEST. I think the test tab populates
> REQUEST
> > > for you via magic that doesn't happen when an access rule is called.
> > >
> > > Your script becomes:
> > >
> > > -----------------------------------------
> > > ## Script (Python) "accessruleHB"
> > > ##bind container=container
> > > ##bind context=context
> > > ##bind namespace=
> > > ##bind script=script
> > > ##bind subpath=traverse_subpath
> > > ##parameters=
> > > ##title=
> > >
> > > if context.REQUEST.SESSION.get('MySessionId') == None:
> > > context.REQUEST.RESPONSE.redirect('/rootfolder')
> > > -----------------------------------------
> > >
> >
> > But there is a security problem with "Set Access Rule":
> >
> > Any user even the unauthorized can get access to the folder (which
> > is restricted by set accessrule) if he adds _SUPPRESS_ACCESSRULE to the
> url:
> >
> > http: ... testfolder/_SUPPRESS_ACCESSRULE
> >
> > gives access to restricted folder testfolder.
> >
> > This may be a bug or has been done to get access in case of emergency, but
> > it makes set accessrule (more or less) useless.
> >
> > What can I do to prevent Zope to give access by adding
> > _SUPPRESS_ACCESSRULE ?
> >
> > Do I have to modify the programmes which implement set access rule ?
> > I even don't know where these programmes are located.
> >
> > With kind regards, Juergen Berger
>
>