[Zope-dev] Server Side Trojan Issue really dead?

[Shane Hathaway]

Steve Alexander wrote:
> > The problem with applying this principle in Zope is that the roles and
> > permissions system is very expressive, and it is complex to know when
> > one user has lower permissions than another.
> 
> However... the zope security system could help with this. Here's an ill
> thought out idea for your consideration :-)
> 
> Have a function that takes two sets of permissions, and returns the
> intersection of these sets. Then, use some sort of local permissions
> combination to make the wiki page that's been edited have the resultant
> lowest-common-denominator permissions, even for the owner.

Great minds certainly do think alike. :-)

That's the way the security model works now.  Jim gets the credit.  If
a manager comes along and executes something created by another user,
it is executed with the permissions consisting of the intersection of
the permissions of the manager and the user.  So the "DEE()" example
would not work *if the ownership is changed upon editing the page*.

That's the key: it is my understanding that all Zope products that can
potentially execute code need to be updated to change their ownership
upon editing.  I don't know how much has been corrected.

Note that proxy roles still work as before with one difference: they
can also be used to *reduce* the permissions in effect.

> Make this kind of thing a standard feature of the security system, and
> write some guidelines to help out authors of products that allow editing
> content that is also executable.

Yes, there needs to be more documentation on this point.  What needs to
be edited, if it doesn't mention it already, is Brian's new security
guide for product authors.  However, there's a good chance it already
covers this.

Shane