[Zope3-dev] Certification: Supporting "Residual
InformationProtection" in Zope 3
Roger Ineichen
dev at projekt01.ch
Fri Dec 16 05:14:38 EST 2005
Hi Christian
interesting question!
This is really a missing part in Zope3.
> Hi,
>
> within the certification we once created a list (drawn from the CC
> catalogue) of functionality we want to support.
>
> One of those is called "Residual Information Protection" (RIP)
>
> The meaning of RIP is that when you delete security attributes (roles,
> users, groups, permission grants/denials) you want to make
> sure that the
> overall consistency of your security attributes is not affected.
>
> Example:
>
> Bob is a user of your site with the login name "bob". He
> was granted
> permissions all over the place, for example in folder
> "/asdf" he has
> the permission "perm.ModifyObjects".
>
> Bob doesn't want to work with you anymore and tells you so. You
> delete the user account "bob" from the system.
>
> 2 years later.
>
> Another Bob arrives and you assign him the same username.
> Suddenly he
> has all the permissions that the original "bob" had.
>
> This is a simple example of what can happen when you only partially
> delete security attributes. And it is a known problem with
> todays Zope 2
> security.
Yes, that is excatly what we d right now. If we remova a principal
we don't delete the permssion/grant imformation in the annotation.
I guess we have to add a generic subscriber for this and cleanup all
grant information in the object's annotation.
> Two questions arise for me now, as I face implementing the effective
> removal of residual data:
>
> - Does anybody know/understand whether this will heavily collide with
> undoing transactions or not?
You mean if a principal get added back via the undoing transaction
or if there is a meachnism to not allow to undo principal removal?
> - Is there an efficient way on the application-level in Zope 3 to
> iterate over objects out of the database? (There is something in the
> ZODB IIRC that can support iterating over objects of the same class)
Do you mean if sombody uses a SQL DB backend or something like that?
If so, I guess they have to provide the sublocation implementation as well.
I have no idea if this is supported in SQL implementation like the SQLObject
etc.
> Otherwise this function is likely to become a performance killer, as
> I'd have to go all over the place to remove stuff.
We do this everytime we delete a object. This is done with subscribers
and dispatching events to sublocations if a ObjectRemoveEvent get fired.
The only part we have to add is a subscriber which will remove grant
information for sublocations. We have to use a little hook for this
implementation since the content data structure isn't directly a child
of the IAuthentication utility.
Hm, perhaps we have to add a special event inherited from ObjectRemoveEvent
and dispatch this event to sublocations of the ISite reather then to the
sublocations of the IAuthentication. A different event will make sure that
we not directly dispatch the original ObjetRemoveEvent to the content
objects
of ISite.
Are I'm correct or did I miss something?
Regards
Roger Ineichen
> Cheers,
> Christian
>
> --
> gocept gmbh & co. kg - schalaunische str. 6 - 06366 koethen - germany
> www.gocept.com - ct at gocept.com - phone +49 3496 30 99 112 -
> fax +49 3496 30 99 118 - zope and plone consulting and development
>
More information about the Zope3-dev
mailing list