[Zope] Re: Aquisition, UserFolder and security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 bruno modulix wrote: Dieter, I didn't misunderstood your proposed solution. But some users exist in different CPMs with different roles in each CPM. So - unless I'm totally at lost with how Zope's security works - if User1 has role RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2, he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in any CPM could gain access to any other CPM just by faking url. The Zope security machinery goes out of its way to prevent such an exploit: essentially, it considers only containment acquisition when evaluating roles, etc. Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDPTZA+gerLs4ltQ4RApDKAKC60CDyD0rIdCN/CC8dMmPbreeAKACZAUB3 cX01OZuxOaIL1hNnXS1NxrI= =VlQo -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Aquisition, UserFolder and security
Tres Seaver wrote: bruno modulix wrote: Dieter, I didn't misunderstood your proposed solution. But some users exist in different CPMs with different roles in each CPM. So - unless I'm totally at lost with how Zope's security works - if User1 has role RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2, he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in any CPM could gain access to any other CPM just by faking url. The Zope security machinery goes out of its way to prevent such an exploit: Which one ? I have the case where authentication happens in the context, not containment, ie given two sibling folders fa and fb, each with it's own acl_user, if UserA exists in fa['acl_users'] and not in fb['acl_users'], then UserA is still authenticated in fb when accessing it thru fa/fb (while he is not when accessing fb directly). essentially, it considers only containment acquisition when evaluating roles, etc. I wasn't very sure about this. If I understand correctly, this means that authentication can come from an acl_user aquired by context (this is what I've experimented), but that roles/permission lookup will only happens in the containment hierarchy ? -- Bruno Desthuilliers Développeur [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Aquisition, UserFolder and security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 bruno modulix wrote: Dieter, I didn't misunderstood your proposed solution. But some users exist in different CPMs with different roles in each CPM. So - unless I'm totally at lost with how Zope's security works - if User1 has role RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2, he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in any CPM could gain access to any other CPM just by faking url. The Zope2 security machinery explicitly prevents such abuse by considering only containment acquisition when evaluating local roles, acquired permission maps, etc. It also insists that the user being considered exist in context of the object being validated. Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDPTcq+gerLs4ltQ4RAuJKAJ0Y6z6iNRMuH7AgjVvF3rOI5FTFkQCfV5SU zV03BmP/HeQa2KHVFhhHdrA= =JmJp -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Aquisition, UserFolder and security
bruno modulix wrote: Dieter, I didn't misunderstood your proposed solution. But some users exist in different CPMs with different roles in each CPM. So - unless I'm totally at lost with how Zope's security works - if User1 has role RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2, he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in any CPM could gain access to any other CPM just by faking url. As Tres mentionned, that should not be possible, as it's contrary to the Zope Security Policy. Can you reproduce it within a blank CPS instance using standard CPS products? If yes, could you explain the steps to reproduce it, and the versions of CPS, CMF, Zope and python you use? Florent -- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of RD +33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )