[Zope] Usage of AUTHENTICATED_USER

[Shane Hathaway]

Zopistas,

I've been beating my head on the wall about this issue for weeks now.  I
need to be able to access the User object so that I can run a
has_permission check in Python.  However, I haven't been able to find a
reliable way to access the current authenticated user in Python code.

In fact, I have found a small security hole.  If a user has permission to
add folders, there is nothing stopping the user from
putting their own default User Folder in it.  There is a check that is
supposed to prevent that depending on permissions, but it's easy to
circumvent.

This is unlikely to be a major issue so I'll just say what's involved in
exploiting the hole.  The manage_addFolder method, used to create a new
folder, takes the current REQUEST as an argument.  All one needs to do is
call manage_addFolder without a REQUEST argument, and the extra security
checks are disabled.  Thus anyone who can create folders can also create
default user folders.

The issue is that there is no apparent way for a method such as
manage_addFolder to get the current User object to perform a proper
security check.  Getting it using REQUEST['AUTHENTICATED_USER'] isn't
reliable.  In fact, it is possible to call
<dtml-call "REQUEST.set('AUTHENTICATED_USER', bogusSuperUser)">
which works but fortunately doesn't have much effect at present.
(bogusSuperUser would be a folder with DTML methods has_permission,
has_role, validate, etc. and would masquerade as a SuperUser object.)

Summary: I need to perform extra security checks similar to what
manage_addFolder does, but it must be secure, unlike manage_addFolder.
All advice is welcome.

Shane Hathaway