[Zope] protecting users from hostile authors
marc lindahl
marc@bowery.com
Fri, 24 Aug 2001 14:00:59 -0400
Well, one way is to have reviewers reviewing material - labor intensive but
a solution. CMF has this built in (cmf.zope.org)
> From: "Kyler B. Laird" <laird@ecn.purdue.edu>
> Date: Fri, 24 Aug 2001 12:39:12 -0500
> To: zope@zope.org
> Subject: [Zope] protecting users from hostile authors
>
>
> We're in the process of building a cluster (just
> installed 8 machines) for serving a bunch (tens
> of thousands) of users. Many/most of these
> people will also be authors. A single (X.500-
> based) authentication system will be used for
> most everything.
>
> I'm trying to get a handle on what policy I want
> to use in order to keep authors from doing Bad
> Things to authenticated users who visit their
> pages.
>
> Looking around on Zope.org, I realized that this
> might already be addressed. Is there anything
> that prevents me (as a Zope community member
> with authoring privileges on zope.org) from
> luring users who have already authenticated with
> Zope.org to come look at my pages, and then
> running arbitrary commands with their
> privileges?
>
> Anyone else grappling with this situation? I'm
> trying to decide how to set policy so that users
> are reasonably safe, but authors still have the
> freedom to create Cool Stuff. There will most
> certainly be multiple classes of authors - those
> who can act with the authenticated user's
> privileges and those who can not. I'm not quite
> sure how to implement that yet, though.
>
> I'm also concerned about links to Bad Things,
> like "delete your home directory" disguised as
> "Get porn here!".
>
> Any thoughts? Has this already been hashed out
> somewhere that I should have found?
>
> Thank you.
>
> --kyler
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )