Hi! Let me share one thought that just occured to me while looking at ACLAuthorizationPolicy source code.
The thing is - the list of principals returned by authentication policy is basically a list of strings - for users logged in it contains 'system.Authenticated', user ID (as returned by authenticated_userid call) and a list of principals returned by a callback given to policy object constructor. Various Pyramid tutorials I've seen so far recommend prefixing group names like e.g. 'group:editors'. But still the user name and group names are thrown into the same list. In a system where a user can choose arbitrary login, she can choose 'group:editors' and effectively gain some extra privileges. Of course, it should be enough to filter the allowed user names properly (which is a good idea anyway), but mixing user and prefixed group names in the same namespace doesn't seem very secure to me. I think it could also be fine to prefix all user names (as returned from unauthenticated_userid()) with 'user:' prefix (or similar), thus making it impossible to introduce a user name that matches a prefixed group name. Perhaps I overlooked something? Perhaps it's at least worth documenting (unless I'm totally wrong, of course)? BR, Przemek -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
