Mercurial > p > roundup > code
annotate doc/security.txt @ 902:b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Still to do:
. call the security funcs from cgi and mailgw
. change shipped templates to include correct initialisation and remove
the old config vars
... that seems like a lot. The bulk of the work has been done though. Honest :)
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Thu, 25 Jul 2002 07:14:06 +0000 |
| parents | 7d41d4dae378 |
| children | 502a5ae11cc5 |
| rev | line source |
|---|---|
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1 =================== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2 Security Mechanisms |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
3 =================== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
4 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
5 :Version: $Revision: 1.12 $ |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
6 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
7 Current situation |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
8 ================= |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
9 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
10 Current logical controls: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
11 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
12 ANONYMOUS_ACCESS = 'deny' |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
13 Deny or allow anonymous access to the web interface |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
14 ANONYMOUS_REGISTER = 'deny' |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
15 Deny or allow anonymous users to register through the web interface |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
16 ANONYMOUS_REGISTER_MAIL = 'deny' |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
17 Deny or allow anonymous users to register through the mail interface |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
18 |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
19 Current user interface authentication and controls: |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
20 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
21 - command-line tool access controlled with passwords, but no logical controls |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
22 - CGI access is by username and password and has some logical controls |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
23 - mailgw access is through identification using sender email address, with |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
24 limited functionality available |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
25 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
26 The web interface implements has specific logical controls, |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
27 preventing non-admin users from accessing: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
28 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
29 - other user's details pages |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
30 - listing the base classes (not issues or their user page) |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
31 - editing base classes |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
32 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
33 Issues |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
34 ====== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
35 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
36 1. The current implementation is ad-hoc, and not complete for all `use cases`_. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
37 2. Currently it is not possible to allow submission of issues through email |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
38 but restrict those users from accessing the web interface. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
39 3. Only one user may perform admin functions. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
40 4. There is no verification of users in the mail gateway by any means other |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
41 than the From address. Support for strong identification through digital |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
42 signatures should be added. |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
43 5. The command-line tool has no logical controls. |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
44 6. The anonymous control needs revising - there should only be one way to be |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
45 an anonymous user, not two (currently there is user==None and |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
46 user=='anonymous). |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
47 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
48 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
49 Possible approaches |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
50 =================== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
51 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
52 Security controls in Roundup could be approached in three ways: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
53 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
54 1) at the hyperdb level, with read/write/modify permissions on classes, nodes |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
55 and node properties for all or specific transitions. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
56 2) at the user interface level, with access permissions on CGI interface |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
57 methods, mailgw methods, roundup-admin methods, and so on. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
58 3) at a logical permission level, checked as needed. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
59 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
60 In all cases, the security built into roundup assumes restricted access to the |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
61 hyperdatabase itself, through Operating System controls such as user or group |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
62 permissions. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
63 |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
64 |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
65 Hyperdb-level control |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
66 --------------------- |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
67 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
68 Control is implemented at the Class.get, Class.set and Class.create level. All |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
69 other methods must access nodes through these methods. Since all accesses go |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
70 through the database, we can implement deny by default. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
71 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
72 Pros: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
73 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
74 - easier to implement as it only affects one module |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
75 - smaller number of permissions to worry about |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
76 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
77 Cons: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
78 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
79 - harder to determine the relationship between user interaction and hyperdb |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
80 permission. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
81 - a lot of work to define |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
82 - must special-case to handle by-node permissions (editing user details, |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
83 having private messages) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
84 |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
85 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
86 User-interface control |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
87 ---------------------- |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
88 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
89 The user interfaces would have an extra layer between that which |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
90 parses the request to determine action and the action method. This layer |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
91 controls access. Since it is possible to require methods be registered |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
92 with the security mechanisms to be accessed by the user, deny by default |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
93 is possible. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
94 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
95 Pros: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
96 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
97 - much more obvious at the user level what the controls are |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
98 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
99 Cons: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
100 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
101 - much more work to implement |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
102 - most user interfaces have multiple uses which can't be covered by a |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
103 single permission |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
104 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
105 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
106 Logical control |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
107 --------------- |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
108 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
109 At each point that requires an action to be performed, the security mechanisms |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
110 are asked if the current user has permission. Since code must call the |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
111 check function to raise a denial, there is no possibility to have automatic |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
112 default of deny in this situation. |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
113 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
114 Pros: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
115 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
116 - quite obvious what is going on |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
117 - is very similar to the current system |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
118 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
119 Cons: |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
120 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
121 - large number of possible permissions that may be defined, possibly |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
122 mirroring actual user interface controls. |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
123 - access to the hyperdb must be strictly controlled through program code |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
124 that implements the logical controls. |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
125 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
126 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
127 Applying controls to users |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
128 ========================== |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
129 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
130 Individual assignment of Permission to User is unwieldy. The concept of a |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
131 Role, which encompasses several Permissions and may be assigned to many Users, |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
132 is quite well developed in many projects. Roundup will take this path, and |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
133 allow the multiple assignment of Roles to Users, and multiple Permissions to |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
134 Roles. These definitions will be stored in the hyperdb. They don't need to be |
|
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
135 pushed to the actual database though. |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
136 |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
137 There will be two levels of Permission. The Class level permissions define |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
138 logical permissions associated with all nodes of a particular class (or all |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
139 classes). The Node level permissions define logical permissions associated |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
140 with specific nodes by way of their user-linked properties. |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
141 |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
142 A security module defines:: |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
143 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
144 class InMemoryClass(hyperdb.Class): |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
145 ''' Just be an in-memory class |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
146 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
147 def __init__(self, db, classname, **properties): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
148 ''' Set up an in-memory store for the nodes of this class |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
149 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
150 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
151 def create(self, **propvalues): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
152 ''' Create a new node in the in-memory store |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
153 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
154 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
155 def get(self, nodeid, propname, default=_marker, cache=1): |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
156 ''' Get the node from the in-memory store |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
157 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
158 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
159 def set(self, *args): |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
160 ''' Set values on the node |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
161 ''' |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
162 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
163 class PermissionClass(InMemoryClass): |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
164 ''' Include the default attributes: |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
165 - name (String) |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
166 - klass (String) |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
167 - description (String) |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
168 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
169 The klass may be unset, indicating that this permission is not |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
170 locked to a particular class. That means there may be multiple |
|
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
171 Permissions for the same name for different classes. |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
172 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
173 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
174 class RoleClass(InMemoryClass): |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
175 ''' Include the default attributes: |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
176 - name (String, key) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
177 - description (String) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
178 - permissions (PermissionClass Multilink) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
179 ''' |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
180 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
181 class Security: |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
182 def __init__(self, db): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
183 ''' Initialise the permission and role classes, and add in the |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
184 base roles (for admin user). |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
185 ''' |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
186 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
187 def hasClassPermission(self, db, classname, permission, userid): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
188 ''' Look through all the Roles, and hence Permissions, and see if |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
189 "permission" is there for the specified classname. |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
190 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
191 ''' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
192 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
193 def hasNodePermission(self, db, classname, nodeid, **propspec): |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
194 ''' Check the named properties of the given node to see if the |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
195 userid appears in them. If it does, then the user is granted |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
196 this permission check. |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
197 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
198 'propspec' consists of a set of properties and values that |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
199 must be present on the given node for access to be granted. |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
200 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
201 If a property is a Link, the value must match the property |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
202 value. If a property is a Multilink, the value must appear |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
203 in the Multilink list. |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
204 ''' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
205 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
206 def addPermission(self, **propspec): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
207 ''' Create a new Permission with the properties defined in |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
208 'propspec' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
209 ''' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
210 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
211 def addRole(self, **propspec): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
212 ''' Create a new Role with the properties defined in 'propspec' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
213 ''' |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
214 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
215 def addPermissionToRole(self, rolename, permissionid): |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
216 ''' Add the permission to the role's permission list. |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
217 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
218 'rolename' is the name of the role to add 'permissionid'. |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
219 ''' |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
220 |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
221 Modules such as ``cgi_client.py`` and ``mailgw.py`` define their own |
|
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
222 permissions like so (this example is ``cgi_client.py``):: |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
223 |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
224 def initialiseSecurity(security): |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
225 ''' Create some Permissions and Roles on the security object |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
226 |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
227 This function is directly invoked by security.Security.__init__() |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
228 as a part of the Security object instantiation. |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
229 ''' |
|
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
230 newid = security.addPermission(name="Web Registration", |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
231 description="Anonymous users may register through the web") |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
232 security.addToRole('Anonymous', newid) |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
233 |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
234 The instance dbinit module then has in ``open()``:: |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
235 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
236 # open the database - it must be modified to init the Security class |
|
877
7d41d4dae378
this could work...
Richard Jones <richard@users.sourceforge.net>
parents:
876
diff
changeset
|
237 # from security.py as db.security |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
238 db = Database(instance_config, name) |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
239 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
240 # add some extra permissions and associate them with roles |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
241 ei = db.security.addPermission(name="Edit", klass="issue", |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
242 description="User is allowed to edit issues") |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
243 db.security.addPermissionToRole('User', ei) |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
244 ai = db.security.addPermission(name="Assign", klass="issue", |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
245 description="User may be assigned to issues") |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
246 db.security.addPermissionToRole('User', ei) |
|
870
a3de8f9b2ede
more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents:
865
diff
changeset
|
247 |
|
876
2ccfd7fa0099
Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents:
875
diff
changeset
|
248 In the dbinit ``init()``:: |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
249 |
|
811
2a0886bacdcc
Note correct API calls in the doc ;)
Richard Jones <richard@users.sourceforge.net>
parents:
774
diff
changeset
|
250 r = db.getclass('role').lookup('Admin') |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
251 user.create(username="admin", password=Password(adminpw), |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
252 address=instance_config.ADMIN_EMAIL, roles=[r]) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
253 |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
254 # choose your anonymous user access permission here |
|
811
2a0886bacdcc
Note correct API calls in the doc ;)
Richard Jones <richard@users.sourceforge.net>
parents:
774
diff
changeset
|
255 #r = db.getclass('role').lookup('No Rego') |
|
2a0886bacdcc
Note correct API calls in the doc ;)
Richard Jones <richard@users.sourceforge.net>
parents:
774
diff
changeset
|
256 r = db.getclass('role').lookup('User') |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
257 user.create(username="anonymous", roles=[r]) |
|
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
258 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
259 Then in the code that matters, calls to ``hasClassPermission`` and |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
260 ``hasNodePermission`` are made to determine if the user has permission |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
261 to perform some action:: |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
262 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
263 if db.security.hasClassPermission('issue', 'Edit', userid): |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
264 # all ok |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
265 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
266 if db.security.hasNodePermission('issue', nodeid, assignedto=userid): |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
267 # all ok |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
268 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
269 Code in the core will make use of these methods, as should code in auditors in |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
270 custom templates. The htmltemplate will implement a new tag, ``<require>`` |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
271 which has the form:: |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
272 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
273 <require permission="name,name,name" assignedto="$userid" status="open"> |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
274 HTML to display if the user has the permission. |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
275 <else> |
|
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
276 HTML to display if the user does not have the permission. |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
277 </require> |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
278 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
279 where: |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
280 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
281 - the permission attribute gives a comma-separated list of permission names. |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
282 These are checked in turn using ``hasClassPermission`` and requires one to |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
283 be OK. |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
284 - the other attributes are lookups on the node using ``hasNodePermission``. If |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
285 the attribute value is "$userid" then the current user's userid is tested. |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
286 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
287 Any of these tests must pass or the ``<require>`` check will fail. The section |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
288 of html within the side of the ``<else>`` that fails is remove from processing. |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
289 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
290 Implementation as shipped |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
291 ------------------------- |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
292 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
293 A set of Permissions are built in to the security module by default: |
|
871
a4ab8fdf83a2
More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
870
diff
changeset
|
294 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
295 - Edit (everything) |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
296 - Access (everything) |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
297 - Assign (everything) |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
298 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
299 The default interfaces define: |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
300 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
301 - Web Registration |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
302 - Email Registration |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
303 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
304 These are hooked into the default Roles: |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
305 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
306 - Admin (Edit everything, Access everything, Assign everything) |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
307 - User () |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
308 - Anonymous (Web Registration, Email Registration) |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
309 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
310 And finally, the "admin" user gets the "Admin" Role, and the "anonymous" user |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
311 gets the "Anonymous" assigned when the database is initialised on installation. |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
312 The two default schemas then define: |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
313 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
314 - Edit issue, Access issue (both) |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
315 - Edit support, Access support (extended only) |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
316 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
317 and assign those Permissions to the "User" Role. |
|
865
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
318 |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
319 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
320 Authentication of Users |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
321 ----------------------- |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
322 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
323 Users must be authenticated correctly for the above controls to work. This is |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
324 not done in the current mail gateway at all. Use of digital signing of |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
325 messages could alleviate this problem. |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
326 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
327 The exact mechanism of registering the digital signature should be flexible, |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
328 with perhaps a level of trust. Users who supply their signature through their |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
329 first message into the tracker should be at a lower level of trust to those |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
330 who supply their signature to an admin for submission to their user details. |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
331 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
332 |
|
902
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
333 Anonymous Users |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
334 --------------- |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
335 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
336 The "anonymous" user must always exist, and defines the access permissions for |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
337 anonymous users. The three ANONYMOUS_ configuration variables are subsumed by |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
338 this new functionality. |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
339 |
|
b0d3d3535998
Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents:
877
diff
changeset
|
340 |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
341 Action |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
342 ====== |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
343 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
344 The CGI interface must be changed to: |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
345 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
346 - authenticate over a secure connection |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
347 - use unique tokens as a result of authentication, rather than pass the user's |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
348 real credentials (username/password) around for each request (this means |
|
840
e07e5903c3b4
Updated documents
Richard Jones <richard@users.sourceforge.net>
parents:
811
diff
changeset
|
349 sessions and hence a session database) |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
350 - use the new logical control mechanisms |
|
875
d19dd123bda2
just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents:
871
diff
changeset
|
351 |
|
865
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
352 - implement the permission module |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
353 - implement a Role editing interface for users |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
354 - implement htmltemplate tests on permissions |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
355 - switch all code over from using config vars for permission checks to using |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
356 permissions |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
357 - include config vars for initial Roles for anonymous web, new web and new |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
358 email users |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
359 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
360 The mail gateway must be changed to: |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
361 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
362 - use digital signatures |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
363 - use the new logical control mechanisms |
|
875
d19dd123bda2
just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents:
871
diff
changeset
|
364 |
|
865
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
365 - switch all code over from using config vars for permission checks to using |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
366 permissions |
|
261a71cb7f7f
Some refinements
Richard Jones <richard@users.sourceforge.net>
parents:
840
diff
changeset
|
367 |
|
774
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
368 The command-line tool must be changed to: |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
369 |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
370 - use the new logical control mechanisms (only allowing write |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
371 access by admin users, and read-only by everyone else) |
|
811475894dd9
More thoughts
Richard Jones <richard@users.sourceforge.net>
parents:
728
diff
changeset
|
372 |
|
728
d341cd0e7689
Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents:
725
diff
changeset
|
373 |
|
725
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
374 Use cases |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
375 ========= |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
376 |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
377 public |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
378 end users that can submit bugs, request new features, request support |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
379 developer |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
380 developers that can fix bugs, implement new features provide support |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
381 manager |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
382 approvers/managers that can approve new features and signoff bug fixes |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
383 admin |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
384 administrators that can add users and set user's roles |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
385 system |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
386 automated request handlers running various report/escalation scripts |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
387 privacy |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
388 issues that are only visible to some users |
|
2a563dbacd65
Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
389 |