[Zope] Zope and security.

Otto Hammersmith otto@ipass.net
Thu, 11 Nov 1999 11:57:07 -0500 

Brian Lloyd wrote:
> 
[snip things that seem to confirm my understanding :) ]
> 
> Now the caveat: when you give someone the "Change permissions"
> permission, you are effectively trusting him as a Manager in
> his own area. Though he can't affect things outside his area,
> it is not really possible to actually restrict what he can do
> in his own area once you've given "Change permissions". This
> is because he is now free to give himself any permission he
> wants (in his own folder) if he doesn't already have it.

And that's exactly the problem I see.

If I take away "Create ZSQL Methods" from his home folder but don't take
away the security tab, he can put it right back.  If I'm using UserDB to
authenticate he can just create a Z SQL Method that queries the db for
userid's and passwords.

So I get clever and take away his Security tab (which, btw, means he
can't control who sees his objects) but forget to take away his ability
to create folders, he creates a new folder changes the permissions on it
so he can create Z SQL Methods and we're back to square one.

It seems the only way to securely handle all this is to roll your own
folder that can't hold Z SQL Methods, or anything else that users don't
really need.  (Incidentally, if I did this with Z Classes, would there
be any performance implications?)
 
> It is possible that this behavior could be modified in the
> future (by enforcing some rules whereby a user can only
> modify roles or permissions that he already has), but some
> thought would need to go into this to be sure that there is
> a real need for it and that the behavior is well understood.

That would probably wouldn't solve the problem, unless you acquisition
were involved.  Otherwise you could easily circumvent it by creating a
new folder and doing whatever you please there.

Would it be possible with Z Classes to modify either the constructor or
the addForm to restrict who can create certain objects?  Would it be
possible in Python products?  That seems to be the appropriate place to
control what objects can be created by whom.
 
			-Otto.