Mercurial > p > roundup > code
annotate doc/security.txt @ 899:4f082e1242f7
more info
[[Parts of this commit other than changes to doc/customizing.txt may
originally have been a separate commit. Relevant metadata was stepped
on during conversion of CVS to Subversion.]]
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Thu, 25 Jul 2002 02:25:54 +0000 |
| parents | 7d41d4dae378 |
| children | b0d3d3535998 |
| rev | line source |
|---|---|
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1 =================== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2 Security Mechanisms |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
3 =================== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
4 |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
5 :Version: $Revision: 1.11 $ |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
6 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
7 Current situation |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
8 ================= |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
9 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
10 Current logical controls: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
11 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
12 ANONYMOUS_ACCESS = 'deny' |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
13 Deny or allow anonymous access to the web interface |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
14 ANONYMOUS_REGISTER = 'deny' |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
15 Deny or allow anonymous users to register through the web interface |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
16 ANONYMOUS_REGISTER_MAIL = 'deny' |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
17 Deny or allow anonymous users to register through the mail interface |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
18 |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
19 Current user interface authentication and controls: |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
20 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
21 - command-line tool access controlled with passwords, but no logical controls |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
22 - CGI access is by username and password and has some logical controls |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
23 - mailgw access is through identification using sender email address, with |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
24 limited functionality available |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
25 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
26 The web interface implements has specific logical controls, |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
27 preventing non-admin users from accessing: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
28 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
29 - other user's details pages |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
30 - listing the base classes (not issues or their user page) |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
31 - editing base classes |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
32 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
33 Issues |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
34 ====== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
35 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
36 1. The current implementation is ad-hoc, and not complete for all `use cases`_. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
37 2. Currently it is not possible to allow submission of issues through email |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
38 but restrict those users from accessing the web interface. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
39 3. Only one user may perform admin functions. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
40 4. There is no verification of users in the mail gateway by any means other |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
41 than the From address. Support for strong identification through digital |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
42 signatures should be added. |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
43 5. The command-line tool has no logical controls. |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
44 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
45 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
46 Possible approaches |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
47 =================== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
48 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
49 Security controls in Roundup could be approached in three ways: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
50 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
51 1) at the hyperdb level, with read/write/modify permissions on classes, nodes |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
52 and node properties for all or specific transitions. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
53 2) at the user interface level, with access permissions on CGI interface |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
54 methods, mailgw methods, roundup-admin methods, and so on. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
55 3) at a logical permission level, checked as needed. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
56 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
57 In all cases, the security built into roundup assumes restricted access to the |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
58 hyperdatabase itself, through Operating System controls such as user or group |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
59 permissions. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
60 |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
61 |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
62 Hyperdb-level control |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
63 --------------------- |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
64 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
65 Control is implemented at the Class.get, Class.set and Class.create level. All |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
66 other methods must access nodes through these methods. Since all accesses go |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
67 through the database, we can implement deny by default. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
68 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
69 Pros: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
70 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
71 - easier to implement as it only affects one module |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
72 - smaller number of permissions to worry about |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
73 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
74 Cons: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
75 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
76 - harder to determine the relationship between user interaction and hyperdb |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
77 permission. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
78 - a lot of work to define |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
79 - must special-case to handle by-node permissions (editing user details, |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
80 having private messages) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
81 |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
82 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
83 User-interface control |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
84 ---------------------- |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
85 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
86 The user interfaces would have an extra layer between that which |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
87 parses the request to determine action and the action method. This layer |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
88 controls access. Since it is possible to require methods be registered |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
89 with the security mechanisms to be accessed by the user, deny by default |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
90 is possible. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
91 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
92 Pros: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
93 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
94 - much more obvious at the user level what the controls are |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
95 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
96 Cons: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
97 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
98 - much more work to implement |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
99 - most user interfaces have multiple uses which can't be covered by a |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
100 single permission |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
101 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
102 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
103 Logical control |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
104 --------------- |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
105 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
106 At each point that requires an action to be performed, the security mechanisms |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
107 are asked if the current user has permission. Since code must call the |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
108 check function to raise a denial, there is no possibility to have automatic |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
109 default of deny in this situation. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
110 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
111 Pros: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
112 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
113 - quite obvious what is going on |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
114 - is very similar to the current system |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
115 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
116 Cons: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
117 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
118 - large number of possible permissions that may be defined, possibly |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
119 mirroring actual user interface controls. |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
120 - access to the hyperdb must be strictly controlled through program code |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
121 that implements the logical controls. |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
122 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
123 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
124 Applying controls to users |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
125 ========================== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
126 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
127 Individual assignment of Permission to User is unwieldy. The concept of a |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
128 Role, which encompasses several Permissions and may be assigned to many Users, |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
129 is quite well developed in many projects. Roundup will take this path, and |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
130 allow the multiple assignment of Roles to Users, and multiple Permissions to |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
131 Roles. These definitions will be stored in the hyperdb. They don't need to be |
|
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
132 pushed to the actual database though. |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
133 |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
134 There will be two levels of Permission. The Class level permissions define |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
135 logical permissions associated with all nodes of a particular class (or all |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
136 classes). The Node level permissions define logical permissions associated |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
137 with specific nodes by way of their user-linked properties. |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
138 |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
139 A security module defines:: |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
140 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
141 class InMemoryImmutableClass(hyperdb.Class): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
142 ''' Don't allow changes to this class's nodes. |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
143 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
144 def __init__(self, db, classname, **properties): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
145 ''' Set up an in-memory store for the nodes of this class |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
146 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
147 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
148 def create(self, **propvalues): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
149 ''' Create a new node in the in-memory store |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
150 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
151 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
152 def get(self, nodeid, propname, default=_marker, cache=1): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
153 ''' Get the node from the in-memory store |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
154 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
155 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
156 def set(self, *args): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
157 raise ValueError, "%s are immutable"%self.__class__.__name__ |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
158 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
159 class PermissionClass(InMemoryImmutableClass): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
160 ''' Include the default attributes: |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
161 - name (String) |
|
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
162 - classname (String) |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
163 - description (String) |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
164 |
|
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
165 The classname may be unset, indicating that this permission is not |
|
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
166 locked to a particular class. That means there may be multiple |
|
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
167 Permissions for the same name for different classes. |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
168 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
169 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
170 class RoleClass(InMemoryImmutableClass): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
171 ''' Include the default attributes: |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
172 - name (String, key) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
173 - description (String) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
174 - permissions (PermissionClass Multilink) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
175 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
176 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
177 class Security: |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
178 def __init__(self, db): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
179 ''' Initialise the permission and role classes, and add in the |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
180 base roles (for admin user). |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
181 ''' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
182 # use a weak ref to avoid circularity |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
183 self.db = weakref.proxy(db) |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
184 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
185 # create the permission class instance (we only need one)) |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
186 self.permission = PermissionClass(db, "permission") |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
187 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
188 # create the role class instance (we only need one) |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
189 self.role = RoleClass(db, "role") |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
190 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
191 # the default Roles |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
192 self.addRole(name="User", description="A regular user, no privs") |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
193 self.addRole(name="Admin", description="An admin user, full privs") |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
194 self.addRole(name="No Rego", |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
195 description="A user who can't register") |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
196 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
197 ee = self.addPermission(name="Edit", |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
198 description="User may edit everthing") |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
199 self.addPermissionToRole('Admin', ee) |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
200 ae = self.addPermission(name="Assign", |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
201 description="User may be assigned to anything") |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
202 self.addPermissionToRole('Admin', ae) |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
203 |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
204 # initialise the permissions and roles needed for the UIs |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
205 from roundup import cgi_client, mailgw |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
206 cgi_client.initialiseSecurity(self) |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
207 mailgw.initialiseSecurity(self) |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
208 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
209 def hasClassPermission(self, db, classname, permission, userid): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
210 ''' Look through all the Roles, and hence Permissions, and see if |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
211 "permission" is there for the specified classname. |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
212 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
213 ''' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
214 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
215 def hasNodePermission(self, db, classname, nodeid, userid, properties): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
216 ''' Check the named properties of the given node to see if the |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
217 userid appears in them. If it does, then the user is granted |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
218 this permission check. |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
219 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
220 'propspec' consists of a list of property names. The property |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
221 names must be the name of a property of classname, or a |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
222 KeyError is raised. That property must be a Link or Multilink |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
223 property, or a TypeError is raised. |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
224 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
225 If the property is a Link, the userid must match the property |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
226 value. If the property is a Multilink, the userid must appear |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
227 in the Multilink list. |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
228 ''' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
229 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
230 def addPermission(self, **propspec): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
231 ''' Create a new Permission with the properties defined in |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
232 'propspec' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
233 ''' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
234 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
235 def addRole(self, **propspec): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
236 ''' Create a new Role with the properties defined in 'propspec' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
237 ''' |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
238 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
239 def addPermissionToRole(self, rolename, permissionid): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
240 ''' Add the permission to the role's permission list. |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
241 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
242 'rolename' is the name of the role to add 'permissionid'. |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
243 ''' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
244 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
245 Modules such as ``cgi_client.py`` and ``mailgw.py`` define their own |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
246 permissions like so (this example is ``cgi_client.py``):: |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
247 |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
248 def initialiseSecurity(security): |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
249 ''' Create some Permissions and Roles on the security object |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
250 |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
251 This function is directly invoked by security.Security.__init__() |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
252 as a part of the Security object instantiation. |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
253 ''' |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
254 newid = security.addPermission(name="Web Access", |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
255 description="User may use the web interface") |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
256 security.addToRole('User', newid) |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
257 security.addToRole('No Rego', newid) |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
258 newid = security.addPermission(name="Web Registration", |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
259 description="User may register through the web") |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
260 security.addToRole('User', newid) |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
261 |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
262 The instance dbinit module then has in ``open()``:: |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
263 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
264 # open the database - it must be modified to init the Security class |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
265 # from security.py as db.security |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
266 db = Database(instance_config, name) |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
267 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
268 # add some extra permissions and associate them with roles |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
269 ei = db.security.addPermission(name="Edit", classname="issue", |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
270 description="User is allowed to edit issues") |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
271 db.security.addPermissionToRole('User', ei) |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
272 ai = db.security.addPermission(name="Assign", classname="issue", |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
273 description="User may be assigned to issues") |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
274 db.security.addPermissionToRole('User', ei) |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
275 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
276 In the dbinit ``init()``:: |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
277 |
|
811
2a0886bacdcc
Note correct API calls in the doc ;)
Richard Jones <richard@users.sourceforge.net>
parents:
774
diff
changeset
|
278 r = db.getclass('role').lookup('Admin') |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
279 user.create(username="admin", password=Password(adminpw), |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
280 address=instance_config.ADMIN_EMAIL, roles=[r]) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
281 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
282 # choose your anonymous user access permission here |
|
811
2a0886bacdcc
Note correct API calls in the doc ;)
Richard Jones <richard@users.sourceforge.net>
parents:
774
diff
changeset
|
283 #r = db.getclass('role').lookup('No Rego') |
|
2a0886bacdcc
Note correct API calls in the doc ;)
Richard Jones <richard@users.sourceforge.net>
parents:
774
diff
changeset
|
284 r = db.getclass('role').lookup('User') |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
285 user.create(username="anonymous", roles=[r]) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
286 |
|
865
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
287 Then in the code that matters, calls to ``hasPermission`` are made to |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
288 determine if the user has permission to perform some action:: |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
289 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
290 if db.security.hasClassPermission('issue', 'Edit', self.user): |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
291 # all ok |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
292 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
293 if db.security.hasNodePermission('issue', nodeid, self.user, |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
294 ['assignedto']): |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
295 # all ok |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
296 |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
297 The htmltemplate will implement a new tag, <permission> which has the form:: |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
298 |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
299 <permission require=name,name,name node=assignedto> |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
300 HTML to display if the user has the permission. |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
301 <else> |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
302 HTML to display if the user does not have the permission. |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
303 </permission> |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
304 |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
305 where the require attribute gives a comma-separated list of permission names |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
306 which are required, and the node attribute gives a comma-separated list of |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
307 node properties whose value must match the current user's id. Either of these |
|
875
d19dd123bda2
just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents:
871
diff
changeset
|
308 tests must pass or the permission check will fail. The section of html within |
|
d19dd123bda2
just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents:
871
diff
changeset
|
309 the side of the ``<else>`` that fails is remove from processing. |
|
865
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
310 |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
311 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
312 Authentication of Users |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
313 ----------------------- |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
314 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
315 Users must be authenticated correctly for the above controls to work. This is |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
316 not done in the current mail gateway at all. Use of digital signing of |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
317 messages could alleviate this problem. |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
318 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
319 The exact mechanism of registering the digital signature should be flexible, |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
320 with perhaps a level of trust. Users who supply their signature through their |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
321 first message into the tracker should be at a lower level of trust to those |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
322 who supply their signature to an admin for submission to their user details. |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
323 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
324 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
325 Action |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
326 ====== |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
327 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
328 The CGI interface must be changed to: |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
329 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
330 - authenticate over a secure connection |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
331 - use unique tokens as a result of authentication, rather than pass the user's |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
332 real credentials (username/password) around for each request (this means |
|
840
e07e5903c3b4
Updated documents
Richard Jones <richard@users.sourceforge.net>
parents:
811
diff
changeset
|
333 sessions and hence a session database) |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
334 - use the new logical control mechanisms |
|
875
d19dd123bda2
just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents:
871
diff
changeset
|
335 |
|
865
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
336 - implement the permission module |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
337 - implement a Role editing interface for users |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
338 - implement htmltemplate tests on permissions |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
339 - switch all code over from using config vars for permission checks to using |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
340 permissions |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
341 - include config vars for initial Roles for anonymous web, new web and new |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
342 email users |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
343 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
344 The mail gateway must be changed to: |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
345 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
346 - use digital signatures |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
347 - use the new logical control mechanisms |
|
875
d19dd123bda2
just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents:
871
diff
changeset
|
348 |
|
865
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
349 - switch all code over from using config vars for permission checks to using |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
350 permissions |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
351 |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
352 The command-line tool must be changed to: |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
353 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
354 - use the new logical control mechanisms (only allowing write |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
355 access by admin users, and read-only by everyone else) |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
356 |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
357 |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
358 Use cases |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
359 ========= |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
360 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
361 public |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
362 end users that can submit bugs, request new features, request support |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
363 developer |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
364 developers that can fix bugs, implement new features provide support |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
365 manager |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
366 approvers/managers that can approve new features and signoff bug fixes |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
367 admin |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
368 administrators that can add users and set user's roles |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
369 system |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
370 automated request handlers running various report/escalation scripts |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
371 privacy |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
372 issues that are only visible to some users |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
373 |