[Zope] set accessrule

Chris McDonough chrism@zope.com
Fri, 22 Mar 2002 12:08:58 -0500 

OK, I think this is one of those cases where I have to say that I think you
need to blow up what you've got and rethink this.  Zope's security machinery
is pretty comprehensive and if you can't extend it to do what you want,
usually it probably means you're doing something wrong. ;-)  While what
you're doing may be expedient now, it sounds like it could grow into
something that is very hard to maintain.

I suggest writing a new user folder implementation or changing an existing
user folder implementation.  There are also "pluggable" user folder
implementations such as Ex User Folder and LoginManager, neither of which
I've used.


> It seems I have only 2 choices:
>
> 1.) I don't want to create a zope userid for each web user, because we
have a
>   proprietary product for authorization. I will use a generic zope userid
>   for example web1.
>
>   I protect my folder: only manager and zope user web1 can see this folder
>   My folder has a access rule: It calls our proprietary product for
>   authorization and if it grants access it will give the enduser the
>   role web1.
>
>   This could be done only if set access rule is done before zope checks
for the
>   permission, because otherwise the zope login prompt would appear first.
>   Is that true ?
>
> 2.) If all this is not possible, I guess I have to change the sources
>  of set access rule (or to create a product "mysetaccessrule")
>  to enable _SUPPRESS_ACCESSRULE for role of manager only.
>
>  Would this solve my problem ?
>
> 3.) The best would be if set accessrule could be improved to
>   use _SUPPRESS_ACCESSRULE for role manager only.
>
>   But I don't know if there are design issues making set access rule still
not
>   complete secure.
>
>   I could try to do this, but I dont't know how to submit a proposal for a
>   software change to a zope feature.
>
>
> With kind regards, Juergen Berger
>
>  >
>  > ----- Original Message -----
>  > From: <jbr@FIZ-Karlsruhe.DE>
>  > To: <zope@zope.org>
>  > Sent: Thursday, March 21, 2002 6:38 PM
>  > Subject: Re: [Zope] set accessrule
>  >
>  >
>  > > Hello,
>  > >
>  > > summary of set access rule with zope 2.5.0
>  > >
>  > > 1.) for a folder testfolder I have set "Set Access Rule" to python
script
>  > accessHB
>  > >     to limit access
>  > >
>  > > 2.) as Chris McDonough has shown (thanks !)  accessHB is working
like:
>  > >
>  > >
>  > >  > From chrism@zope.com Thu Mar 21 19:21 MET 2002
>  > >  > Subject: Re: [Zope] set accessrule
>  > >  > Date: Thu, 21 Mar 2002 13:26:28 -0500
>  > >  >
>  > >  > Hi,
>  > >  >
>  > >  > I wouldn't bother to try to pass in REQUEST (the caller for access
>  > rules
>  > >  > does not pass any arguments in to the script).  Instead, get the
>  > REQUEST
>  > >  > from context ala context.REQUEST.  I think the test tab populates
>  > REQUEST
>  > >  > for you via magic that doesn't happen when an access rule is
called.
>  > >  >
>  > >  > Your script becomes:
>  > >  >
>  > >  >   -----------------------------------------
>  > >  >   ## Script (Python) "accessruleHB"
>  > >  >   ##bind container=container
>  > >  >   ##bind context=context
>  > >  >   ##bind namespace=
>  > >  >   ##bind script=script
>  > >  >   ##bind subpath=traverse_subpath
>  > >  >   ##parameters=
>  > >  >   ##title=
>  > >  >
>  > >  >   if context.REQUEST.SESSION.get('MySessionId') == None:
>  > >  >       context.REQUEST.RESPONSE.redirect('/rootfolder')
>  > >  >   -----------------------------------------
>  > >  >
>  > >
>  > > But there is a security problem with  "Set Access Rule":
>  > >
>  > > Any user even the unauthorized  can get access to the folder (which
>  > > is restricted by set accessrule)   if he adds _SUPPRESS_ACCESSRULE to
the
>  > url:
>  > >
>  > >    http: ... testfolder/_SUPPRESS_ACCESSRULE
>  > >
>  > > gives access to restricted folder testfolder.
>  > >
>  > > This may be a bug or has been done to get access in case of
emergency, but
>  > > it makes set accessrule (more or less) useless.
>  > >
>  > > What can I do to prevent Zope to give access by adding
>  > > _SUPPRESS_ACCESSRULE ?
>  > >
>  > > Do I have to modify the programmes which implement set access rule ?
>  > > I even don't know where these programmes are located.
>  > >
>  > > With kind regards, Juergen Berger
>  >
>  >
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>