Re: [Remember Mailing List] Re: Confirming expiration functionality in remember

Mon, 01 Jun 2009 14:35:04 -0700 

Hi Rob et al,

On Tue, 2009-05-26 at 11:47 -0700, Rob Miller wrote:
> Tim Knapp wrote:

<snip />

> 
> well, the security holes that this opens up are what you might expect based 
> on 
> what you changed: it's now possible for any user to reactivate a disabled 
> user, whereas before it was only possible for someone w/ the "Manage users" 
> permission (assuming the guards you removed were still the default as 
> provided 
> in the member_approval_workflow).
> 
> i wouldn't remove the guards, myself; instead i'd probably escalate the user 
> privileges by changing to the "system" user before triggering the protected 
> code, something like this:
> 
> 
> from AccessControl.SecurityManagement import getSecurityManager
> from AccessControl.SecurityManagement import newSecurityManager
> from AccessControl.SecurityManagement import setSecurityManager
> from AccessControl.SpecialUsers import system
> 
> sm = getSecurityManager()
> try:
>      newSecurityManager(None, system)
>      ### INSERT CODE REQUIRING EXTRA PRIVS HERE
> finally:
>      setSecurityManager(sm)
> 
> 
> i haven't tested this, so it may need a bit of tweaking, but the idea is 
> sound; i've used this technique successfully a number of times.

Just an update re. this thread that this code did in fact resolve 'most'
of my problems. I did also have to just do a check to see what the
'old_state' was (which I should've done at the outset) as follows (as
there's a guard transition that checks this):

if getattr(member, 'old_state', None) == 'public':
    workflow.doActionFor(member, 'enable_public')
else:
    workflow.doActionFor(member, 'enable_private')

Thanks again,
Tim

> 
> -r
> 
> 
> --
> Archive: 
> http://www.openplans.org/projects/remember/lists/remember/archive/2009/05/1243363709686
> To unsubscribe send an email with subject "unsubscribe" to 
> [email protected].  Please contact 
> [email protected] for questions.
> 



--
Archive: 
http://www.openplans.org/projects/remember/lists/remember/archive/2009/06/1243892080561
To unsubscribe send an email with subject "unsubscribe" to 
[email protected].  Please contact 
[email protected] for questions.

Reply via email to