[Zope3-dev] Certification: Supporting "Residual Information Protection" in Zope 3

Jim Fulton jim at zope.com
Fri Dec 16 07:16:49 EST 2005


Christian Theune wrote:
> Hi,
> 
> within the certification we once created a list (drawn from the CC
> catalogue) of functionality we want to support.
> 
> One of those is called "Residual Information Protection" (RIP)
> 
> The meaning of RIP is that when you delete security attributes (roles,
> users, groups, permission grants/denials) you want to make sure that the
> overall consistency of your security attributes is not affected.
> 
> Example:
> 
>    Bob is a user of your site with the login name "bob". He was granted
>    permissions all over the place, for example in folder "/asdf" he has
>    the permission "perm.ModifyObjects".
> 
>    Bob doesn't want to work with you anymore and tells you so. You
>    delete the user account "bob" from the system.
> 
>    2 years later.
> 
>    Another Bob arrives and you assign him the same username. Suddenly he
>    has all the permissions that the original "bob" had.
> 
> This is a simple example of what can happen when you only partially
> delete security attributes. And it is a known problem with todays Zope 2
> security.

This is only a problem if username === user id.  In both Zope 2 and
Zope 3, these are distinct, although this isn't widely recognized or
leveraged in Zope 2.  I don't think it is necessary to remove all
grants to an old user *id* as long as ids are never reused.  I'd say it
might even be useful to keep the old grants, at least for some period,
for auditing purposed.

If we *do* need to be able to remove all grants for a deleted user
when we remove a user, then we need to provide an authorization system
that makes this possible.

> Two questions arise for me now, as I face implementing the effective
> removal of residual data:
> 
> - Does anybody know/understand whether this will heavily collide with
>   undoing transactions or not?

It would.  The Undo feature should not be included in the CC certified
version, or, perhaps undo should only be exposed to adminstrators as
a "break glass" sort of feature.  The reason is that, for current
versions of ZODB, undo cannot maintain transactional integrity.

> - Is there an efficient way on the application-level in Zope 3 to
>   iterate over objects out of the database? (There is something in the
>   ZODB IIRC that can support iterating over objects of the same class)
> 
>   Otherwise this function is likely to become a performance killer, as
>   I'd have to go all over the place to remove stuff.

By definition, there is no efficient way to iterate over all objects
in a database, any database, unless the database is small.  If we
need to be able to do this, we should design support into the
authorization system that we certify.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org


More information about the Zope3-dev mailing list