Mercurial > p > roundup > code

annotate doc/security.txt @ 876:2ccfd7fa0099

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Getting closer to a good framework.
author Richard Jones <richard@users.sourceforge.net>
date Wed, 17 Jul 2002 23:29:34 +0000
parents d19dd123bda2
children 7d41d4dae378
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1 ===================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 Security Mechanisms
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
3 ===================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
5 :Version: $Revision: 1.10 $
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
7 Current situation
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8 =================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
9
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10 Current logical controls:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12 ANONYMOUS_ACCESS = 'deny'
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
13 Deny or allow anonymous access to the web interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
14 ANONYMOUS_REGISTER = 'deny'
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
15 Deny or allow anonymous users to register through the web interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16 ANONYMOUS_REGISTER_MAIL = 'deny'
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
17 Deny or allow anonymous users to register through the mail interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
19 Current user interface authentication and controls:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
20
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
21 - command-line tool access controlled with passwords, but no logical controls
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
22 - CGI access is by username and password and has some logical controls
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
23 - mailgw access is through identification using sender email address, with
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
24 limited functionality available
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
25
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
26 The web interface implements has specific logical controls,
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
27 preventing non-admin users from accessing:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
28
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
29 - other user's details pages
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
30 - listing the base classes (not issues or their user page)
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
31 - editing base classes
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
32
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
33 Issues
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
34 ======
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
35
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
36 1. The current implementation is ad-hoc, and not complete for all `use cases`_.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
37 2. Currently it is not possible to allow submission of issues through email
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
38 but restrict those users from accessing the web interface.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
39 3. Only one user may perform admin functions.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
40 4. There is no verification of users in the mail gateway by any means other
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
41 than the From address. Support for strong identification through digital
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
42 signatures should be added.
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
43 5. The command-line tool has no logical controls.
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
44
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
45
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
46 Possible approaches
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
47 ===================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
48
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
49 Security controls in Roundup could be approached in three ways:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
50
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
51 1) at the hyperdb level, with read/write/modify permissions on classes, nodes
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
52 and node properties for all or specific transitions.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
53 2) at the user interface level, with access permissions on CGI interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
54 methods, mailgw methods, roundup-admin methods, and so on.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
55 3) at a logical permission level, checked as needed.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
56
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
57 In all cases, the security built into roundup assumes restricted access to the
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
58 hyperdatabase itself, through Operating System controls such as user or group
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
59 permissions.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
60
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
61
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
62 Hyperdb-level control
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
63 ---------------------
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
64
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
65 Control is implemented at the Class.get, Class.set and Class.create level. All
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
66 other methods must access nodes through these methods. Since all accesses go
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
67 through the database, we can implement deny by default.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
68
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
69 Pros:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
70
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
71 - easier to implement as it only affects one module
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
72 - smaller number of permissions to worry about
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
73
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
74 Cons:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
75
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
76 - harder to determine the relationship between user interaction and hyperdb
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
77 permission.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78 - a lot of work to define
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
79 - must special-case to handle by-node permissions (editing user details,
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
80 having private messages)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
81
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
82
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
83 User-interface control
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
84 ----------------------
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
85
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
86 The user interfaces would have an extra layer between that which
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
87 parses the request to determine action and the action method. This layer
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
88 controls access. Since it is possible to require methods be registered
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
89 with the security mechanisms to be accessed by the user, deny by default
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
90 is possible.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
91
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
92 Pros:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
93
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
94 - much more obvious at the user level what the controls are
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
95
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
96 Cons:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
97
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
98 - much more work to implement
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
99 - most user interfaces have multiple uses which can't be covered by a
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
100 single permission
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
102
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
103 Logical control
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
104 ---------------
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
105
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
106 At each point that requires an action to be performed, the security mechanisms
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
107 are asked if the current user has permission. Since code must call the
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
108 check function to raise a denial, there is no possibility to have automatic
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
109 default of deny in this situation.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
110
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
111 Pros:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
112
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
113 - quite obvious what is going on
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
114 - is very similar to the current system
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
115
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
116 Cons:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
117
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
118 - large number of possible permissions that may be defined, possibly
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
119 mirroring actual user interface controls.
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
120 - access to the hyperdb must be strictly controlled through program code
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
121 that implements the logical controls.
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
122
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
123
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
124 Applying controls to users
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
125 ==========================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
126
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
127 Individual assignment of Permission to User is unwieldy. The concept of a
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
128 Role, which encompasses several Permissions and may be assigned to many Users,
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
129 is quite well developed in many projects. Roundup will take this path, and
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
130 allow the multiple assignment of Roles to Users, and multiple Permissions to
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
131 Roles. These definitions will be stored in the hyperdb. They don't need to be
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
132 pushed to the actual database though.
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
133
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
134 There will be two levels of Permission. The Class level permissions define
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
135 logical permissions associated with all nodes of a particular class (or all
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
136 classes). The Node level permissions define logical permissions associated
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
137 with specific nodes by way of their user-linked properties.
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
138
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
139 A permission module defines::
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
140
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
141 class InMemoryImmutableClass(hyperdb.Class):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
142 ''' Don't allow changes to this class's nodes.
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
143 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
144 def __init__(self, db, classname, **properties):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
145 ''' Set up an in-memory store for the nodes of this class
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
146 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
147
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
148 def create(self, **propvalues):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
149 ''' Create a new node in the in-memory store
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
150 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
151
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
152 def get(self, nodeid, propname, default=_marker, cache=1):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
153 ''' Get the node from the in-memory store
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
154 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
155
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
156 def set(self, *args):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
157 raise ValueError, "%s are immutable"%self.__class__.__name__
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
158
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
159 class PermissionClass(InMemoryImmutableClass):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
160 ''' Include the default attributes:
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
161 - name (String)
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
162 - classname (String)
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
163 - description (String)
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
164
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
165 The classname may be unset, indicating that this permission is not
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
166 locked to a particular class. That means there may be multiple
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
167 Permissions for the same name for different classes.
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
168 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
169
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
170 class RoleClass(InMemoryImmutableClass):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
171 ''' Include the default attributes:
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
172 - name (String, key)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
173 - description (String)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
174 - permissions (PermissionClass Multilink)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
175 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
176
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
177 class Security:
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
178 def __init__(self, db):
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
179 ''' Initialise the permission and role classes, and add in the
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
180 base roles (for admin user).
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
181 '''
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
182 # use a weak ref to avoid circularity
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
183 self.db = weakref.proxy(db)
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
184
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
185 # create the permission class instance (we only need one))
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
186 self.permission = PermissionClass(db, "permission")
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
187
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
188 # create the role class instance (we only need one)
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
189 self.role = RoleClass(db, "role")
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
190
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
191 # the default Roles
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
192 self.addRole(name="User", description="A regular user, no privs")
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
193 self.addRole(name="Admin", description="An admin user, full privs")
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
194 self.addRole(name="No Rego",
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
195 description="A user who can't register")
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
196
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
197 ee = self.addPermission(name="Edit",
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
198 description="User may edit everthing")
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
199 self.addPermissionToRole('Admin', ee)
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
200 ae = self.addPermission(name="Assign",
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
201 description="User may be assigned to anything")
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
202 self.addPermissionToRole('Admin', ae)
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
203
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
204 def hasClassPermission(self, db, classname, permission, userid):
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
205 ''' Look through all the Roles, and hence Permissions, and see if
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
206 "permission" is there for the specified classname.
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
207
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
208 '''
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
209
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
210 def hasNodePermission(self, db, classname, nodeid, userid, properties):
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
211 ''' Check the named properties of the given node to see if the
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
212 userid appears in them. If it does, then the user is granted
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
213 this permission check.
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
214
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
215 'propspec' consists of a list of property names. The property
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
216 names must be the name of a property of classname, or a
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
217 KeyError is raised. That property must be a Link or Multilink
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
218 property, or a TypeError is raised.
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
219
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
220 If the property is a Link, the userid must match the property
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
221 value. If the property is a Multilink, the userid must appear
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
222 in the Multilink list.
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
223 '''
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
224
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
225 def addPermission(self, **propspec):
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
226 ''' Create a new Permission with the properties defined in
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
227 'propspec'
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
228 '''
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
229
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
230 def addRole(self, **propspec):
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
231 ''' Create a new Role with the properties defined in 'propspec'
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
232 '''
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
233
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
234 def addPermissionToRole(self, rolename, permissionid):
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
235 ''' Add the permission to the role's permission list.
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
236
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
237 'rolename' is the name of the role to add 'permissionid'.
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
238 '''
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
239
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
240 Modules such as ``cgi_client.py`` and ``mailgw.py`` define their own
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
241 permissions like so (this example is ``cgi_client.py``)::
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
242
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
243 # XXX GAH. If the permissions are instance-db-specific then this can't
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
244 # work!
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
245 from roundup import permission
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
246
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
247 # create some Permissions
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
248 newid = permission.addPermission(name="Web Access",
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
249 description="User may use the web interface")
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
250 permission.addToRole('User', newid)
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
251 permission.addToRole('No Rego', newid)
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
252 newid = permission.addPermission(name="Web Registration",
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
253 description="User may register through the web")
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
254 permission.addToRole('User', newid)
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
255 # XXX GAH!
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
256
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
257 The instance dbinit module then has in ``open()``::
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
258
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
259 # open the database - it must be modified to init the Security class
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
260 # from permissions.py as db.security
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
261 db = Database(instance_config, name)
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
262
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
263 # add some extra permissions and associate them with roles
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
264 ei = db.security.addPermission(name="Edit", classname="issue",
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
265 description="User is allowed to edit issues")
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
266 db.security.addPermissionToRole('User', ei)
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
267 ai = db.security.addPermission(name="Assign", classname="issue",
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
268 description="User may be assigned to issues")
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
269 db.security.addPermissionToRole('User', ei)
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
270
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
271 In the dbinit ``init()``::
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
272
811
2a0886bacdcc Note correct API calls in the doc ;)
Richard Jones <richard@users.sourceforge.net>
parents: 774
diff changeset
273 r = db.getclass('role').lookup('Admin')
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
274 user.create(username="admin", password=Password(adminpw),
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
275 address=instance_config.ADMIN_EMAIL, roles=[r])
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
276
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
277 # choose your anonymous user access permission here
811
2a0886bacdcc Note correct API calls in the doc ;)
Richard Jones <richard@users.sourceforge.net>
parents: 774
diff changeset
278 #r = db.getclass('role').lookup('No Rego')
2a0886bacdcc Note correct API calls in the doc ;)
Richard Jones <richard@users.sourceforge.net>
parents: 774
diff changeset
279 r = db.getclass('role').lookup('User')
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
280 user.create(username="anonymous", roles=[r])
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
281
865
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
282 Then in the code that matters, calls to ``hasPermission`` are made to
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
283 determine if the user has permission to perform some action::
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
284
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
285 if db.security.hasClassPermission('issue', 'Edit', self.user):
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
286 # all ok
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
287
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
288 if db.security.hasNodePermission('issue', nodeid, self.user,
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
289 ['assignedto']):
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
290 # all ok
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
291
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
292 The htmltemplate will implement a new tag, <permission> which has the form::
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
293
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
294 <permission require=name,name,name node=assignedto>
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
295 HTML to display if the user has the permission.
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
296 <else>
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
297 HTML to display if the user does not have the permission.
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
298 </permission>
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
299
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
300 where the require attribute gives a comma-separated list of permission names
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
301 which are required, and the node attribute gives a comma-separated list of
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
302 node properties whose value must match the current user's id. Either of these
875
d19dd123bda2 just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents: 871
diff changeset
303 tests must pass or the permission check will fail. The section of html within
d19dd123bda2 just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents: 871
diff changeset
304 the side of the ``<else>`` that fails is remove from processing.
865
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
305
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
306
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
307 Authentication of Users
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
308 -----------------------
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
309
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
310 Users must be authenticated correctly for the above controls to work. This is
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
311 not done in the current mail gateway at all. Use of digital signing of
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
312 messages could alleviate this problem.
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
313
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
314 The exact mechanism of registering the digital signature should be flexible,
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
315 with perhaps a level of trust. Users who supply their signature through their
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
316 first message into the tracker should be at a lower level of trust to those
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
317 who supply their signature to an admin for submission to their user details.
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
318
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
319
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
320 Action
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
321 ======
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
322
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
323 The CGI interface must be changed to:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
324
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
325 - authenticate over a secure connection
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
326 - use unique tokens as a result of authentication, rather than pass the user's
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
327 real credentials (username/password) around for each request (this means
840
e07e5903c3b4 Updated documents
Richard Jones <richard@users.sourceforge.net>
parents: 811
diff changeset
328 sessions and hence a session database)
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
329 - use the new logical control mechanisms
875
d19dd123bda2 just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents: 871
diff changeset
330
865
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
331 - implement the permission module
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
332 - implement a Role editing interface for users
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
333 - implement htmltemplate tests on permissions
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
334 - switch all code over from using config vars for permission checks to using
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
335 permissions
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
336 - include config vars for initial Roles for anonymous web, new web and new
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
337 email users
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
338
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
339 The mail gateway must be changed to:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
340
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
341 - use digital signatures
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
342 - use the new logical control mechanisms
875
d19dd123bda2 just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents: 871
diff changeset
343
865
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
344 - switch all code over from using config vars for permission checks to using
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
345 permissions
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
346
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
347 The command-line tool must be changed to:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
348
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
349 - use the new logical control mechanisms (only allowing write
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
350 access by admin users, and read-only by everyone else)
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
351
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
352
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
353 Use cases
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
354 =========
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
355
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
356 public
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
357 end users that can submit bugs, request new features, request support
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
358 developer
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
359 developers that can fix bugs, implement new features provide support
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
360 manager
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
361 approvers/managers that can approve new features and signoff bug fixes
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
362 admin
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
363 administrators that can add users and set user's roles
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
364 system
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
365 automated request handlers running various report/escalation scripts
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
366 privacy
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
367 issues that are only visible to some users
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
368
Roundup Issue Tracker: http://roundup-tracker.org/