Re: [Zope] Aquisition, UserFolder and security

Tue, 27 Sep 2005 07:54:47 -0700

If you are really behind the 8-ball here is a really ugly work around that may buy you some time to fix it properly:
after you authenticate a user, use a dtml method (eg. 'method1') to invoke the target method (eg. <dtml-var "/.../.../somemethod">) 


in 'somemethod' check to make sure that it was invoked by 'method1' (use a 
REQUEST var such as SCRIPT_URI or PATH_TRANSLATED). If you came from method1 
then let the user proceed, if not do a RESPONSE.redirect somewhere else (eg 
home page - i wouldn't display an error message, you don't want to help the 
hackers).



This is a reaallly bad hack, and is not very secure, but it may buy you some 
time to fix the problem properly.


Good Luck!

Jonathan



----- Original Message ----- 
From: "bruno modulix" <[EMAIL PROTECTED]>

To: "Julien Anguenot" <[EMAIL PROTECTED]>
Cc: <zope@zope.org>
Sent: Tuesday, September 27, 2005 10:31 AM
Subject: Re: [Zope] Aquisition, UserFolder and security



Julien Anguenot wrote:

bruno modulix wrote:


Julien Anguenot wrote:



(snip)

To sum up it's a matter of configuration.


I'm afraid there's more to it than just a matter of configuration, cf
below...



I confirm. For having done the intranet of the Senegal gouvernement
(almost 35 CPS  (one instance for each ministry) on the same Zope within
a ZEO env linked on a central LDAP with differents branches for users
and groups per ministry) using CPS, I have sort if an idea what you're
trying todo here.



I've spent quite some time investigating the
CPSUserFolder/Metadirectories/Stackingdirectories/backingDirectories...
solution, and the final word (from Olivier Grisel, cf the cps-users ml)
was that some code concerning roles and groups management was not yet
fully implemented, so the whole thing couldn't work without patching and
merging parts of CPSDirectories - which was a definitive no-no for us.



I assume, you're talking about roles and groups compute schema fields
here on directories. This is TALES expression linking the directories.
The code can be wherever you wanna, even within the TALES expression if
you feel like...

That's probably, what Olivier tried to say. Still I didn't follow the
discussion at this time.


Too bad :(

You'll find it on the cps-users list. I'm not a CPS expert[1] - and not
even a Zope expert - but from what I saw, it seemed to imply more than
only TALES expressions...

[1] given the change pace and resulting lack of  documentation, I guess
only you Nuxeo guys have a good understanding of the whole product...


Let me add that CPSUserFolder works and is in production for a while now
in several projects. So be sure it's stable.


I don't doubt it works fine. I just didn't managed to make the whole
thing work, and couldn't afford to spend more time on it.


I don't know if this has been fixed in 3.3.6, but anyway, this part of
our project is supposed to be already working (and mostly does, except
for this security problem), and we can't afford to come back on it, as
it would delay delivery by at least one week - which is also not an
option. But thanks anyway...



Then, you might have a design flaw...


Probably. Certainly. But we'll have to live with it for at least this
and next iteration - our customer needs a working solution for
yesterday, and we have pretty good reasons to do whatever we can to
deliver yesterday.


You didn' reply to my question at the first place : are you controling
the LDAP (rw) ?


Actually, no, r only. As I answered to Jens, it's part of a bigger
system, and we have very few freedom here. This will probably change in
the future, but we must first deal with the existing situation.


Are the schemas describing your users differents in between the CPS
instances ?


Yes.


etc...

CPSUserFolder has been designed to tackle such a use case. (Not only
this use case but this one has been a reason of the existence of this
product.)


I know, that's why my first try was to use the CPSUserFolder +
metadirectories + etc solution.

Now from what I saw (I may  have missed some points, but...), we
concluded that using LDAPUserGroupsFolder, at least for the first
rounds, would be much more manageable - we (well... I) only forgot that
aquisition could come in the way :(


Of course, looking for a hack to deliver your project can always be
solution ;)


I'm afraid it's the only short-term solution we have.

--
Bruno Desthuilliers
Développeur
[EMAIL PROTECTED]
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )




_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **

(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )






















					Reply via email to