Mercurial > p > roundup > code

annotate doc/security.txt @ 909:ef9c759c243e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix to hasPermission, thanks Stefan Seefeld.
author Richard Jones <richard@users.sourceforge.net>
date Mon, 29 Jul 2002 21:53:29 +0000
parents 38a74d1351c5
children 299f4890427d
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1 ===================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 Security Mechanisms
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
3 ===================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
5 :Version: $Revision: 1.14 $
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
7 Current situation
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8 =================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
9
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10 Current logical controls:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12 ANONYMOUS_ACCESS = 'deny'
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
13 Deny or allow anonymous access to the web interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
14 ANONYMOUS_REGISTER = 'deny'
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
15 Deny or allow anonymous users to register through the web interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16 ANONYMOUS_REGISTER_MAIL = 'deny'
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
17 Deny or allow anonymous users to register through the mail interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
19 Current user interface authentication and controls:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
20
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
21 - command-line tool access controlled with passwords, but no logical controls
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
22 - CGI access is by username and password and has some logical controls
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
23 - mailgw access is through identification using sender email address, with
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
24 limited functionality available
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
25
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
26 The web interface implements has specific logical controls,
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
27 preventing non-admin users from accessing:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
28
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
29 - other user's details pages
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
30 - listing the base classes (not issues or their user page)
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
31 - editing base classes
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
32
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
33 Issues
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
34 ======
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
35
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
36 1. The current implementation is ad-hoc, and not complete for all `use cases`_.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
37 2. Currently it is not possible to allow submission of issues through email
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
38 but restrict those users from accessing the web interface.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
39 3. Only one user may perform admin functions.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
40 4. There is no verification of users in the mail gateway by any means other
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
41 than the From address. Support for strong identification through digital
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
42 signatures should be added.
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
43 5. The command-line tool has no logical controls.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
44 6. The anonymous control needs revising - there should only be one way to be
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
45 an anonymous user, not two (currently there is user==None and
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
46 user=='anonymous').
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
47
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
48
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
49 Possible approaches
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
50 ===================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
51
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
52 Security controls in Roundup could be approached in three ways:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
53
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
54 1) at the hyperdb level, with read/write/modify permissions on classes, nodes
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
55 and node properties for all or specific transitions.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
56 2) at the user interface level, with access permissions on CGI interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
57 methods, mailgw methods, roundup-admin methods, and so on.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
58 3) at a logical permission level, checked as needed.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
59
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
60 In all cases, the security built into roundup assumes restricted access to the
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
61 hyperdatabase itself, through Operating System controls such as user or group
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
62 permissions.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
63
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
64
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
65 Hyperdb-level control
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
66 ---------------------
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
67
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
68 Control is implemented at the Class.get, Class.set and Class.create level. All
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
69 other methods must access nodes through these methods. Since all accesses go
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
70 through the database, we can implement deny by default.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
71
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
72 Pros:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
73
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
74 - easier to implement as it only affects one module
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
75 - smaller number of permissions to worry about
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
76
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
77 Cons:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
79 - harder to determine the relationship between user interaction and hyperdb
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
80 permission.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
81 - a lot of work to define
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
82 - must special-case to handle by-node permissions (editing user details,
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
83 having private messages)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
84
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
85
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
86 User-interface control
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
87 ----------------------
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
88
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
89 The user interfaces would have an extra layer between that which
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
90 parses the request to determine action and the action method. This layer
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
91 controls access. Since it is possible to require methods be registered
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
92 with the security mechanisms to be accessed by the user, deny by default
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
93 is possible.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
94
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
95 Pros:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
96
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
97 - much more obvious at the user level what the controls are
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
98
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
99 Cons:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
100
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101 - much more work to implement
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
102 - most user interfaces have multiple uses which can't be covered by a
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
103 single permission
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
104
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
105
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
106 Logical control
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
107 ---------------
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
108
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
109 At each point that requires an action to be performed, the security mechanisms
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
110 are asked if the current user has permission. Since code must call the
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
111 check function to raise a denial, there is no possibility to have automatic
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
112 default of deny in this situation.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
113
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
114 Pros:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
115
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
116 - quite obvious what is going on
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
117 - is very similar to the current system
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
118
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
119 Cons:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
120
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
121 - large number of possible permissions that may be defined, possibly
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
122 mirroring actual user interface controls.
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
123 - access to the hyperdb must be strictly controlled through program code
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
124 that implements the logical controls.
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
125
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
126
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
127 Applying controls to users
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
128 ==========================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
129
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
130 Individual assignment of Permission to User is unwieldy. The concept of a
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
131 Role, which encompasses several Permissions and may be assigned to many Users,
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
132 is quite well developed in many projects. Roundup will take this path, and
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
133 allow the multiple assignment of Roles to Users, and multiple Permissions to
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
134 Roles. These definitions are not persistent - they're defined when the
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
135 application initialises.
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
136
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
137 There will be two levels of Permission. The Class level permissions define
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
138 logical permissions associated with all nodes of a particular class (or all
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
139 classes). The Node level permissions define logical permissions associated
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
140 with specific nodes by way of their user-linked properties.
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
141
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
142 The security module defines::
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
143
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
144 class Permission:
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
145 ''' Defines a Permission with the attributes
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
146 - name
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
147 - description
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
148 - klass (optional)
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
149
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
150 The klass may be unset, indicating that this permission is not
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
151 locked to a particular hyperdb class. There may be multiple
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
152 Permissions for the same name for different classes.
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
153 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
154
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
155 class Role:
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
156 ''' Defines a Role with the attributes
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
157 - name
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
158 - description
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
159 - permissions
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
160 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
161
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
162 class Security:
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
163 def __init__(self, db):
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
164 ''' Initialise the permission and role stores, and add in the
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
165 base roles (for admin user).
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
166 '''
877
7d41d4dae378 this could work...
Richard Jones <richard@users.sourceforge.net>
parents: 876
diff changeset
167
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
168 def getPermission(self, permission, classname=None):
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
169 ''' Find the Permission matching the name and for the class, if the
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
170 classname is specified.
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
171
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
172 Raise ValueError if there is no exact match.
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
173 '''
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
174
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
175 def hasPermission(self, permission, userid, classname=None):
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
176 ''' Look through all the Roles, and hence Permissions, and see if
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
177 "permission" is there for the specified classname.
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
178 '''
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
179
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
180 def hasNodePermission(self, classname, nodeid, **propspec):
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
181 ''' Check the named properties of the given node to see if the
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
182 userid appears in them. If it does, then the user is granted
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
183 this permission check.
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
184
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
185 'propspec' consists of a set of properties and values that
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
186 must be present on the given node for access to be granted.
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
187
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
188 If a property is a Link, the value must match the property
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
189 value. If a property is a Multilink, the value must appear
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
190 in the Multilink list.
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
191 '''
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
192
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
193 def addPermission(self, **propspec):
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
194 ''' Create a new Permission with the properties defined in
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
195 'propspec'
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
196 '''
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
197
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
198 def addRole(self, **propspec):
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
199 ''' Create a new Role with the properties defined in 'propspec'
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
200 '''
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
201
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
202 def addPermissionToRole(self, rolename, permission):
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
203 ''' Add the permission to the role's permission list.
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
204
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
205 'rolename' is the name of the role to add permission to.
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
206 '''
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
207
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
208 Modules such as ``cgi_client.py`` and ``mailgw.py`` define their own
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
209 permissions like so (this example is ``cgi_client.py``)::
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
210
877
7d41d4dae378 this could work...
Richard Jones <richard@users.sourceforge.net>
parents: 876
diff changeset
211 def initialiseSecurity(security):
7d41d4dae378 this could work...
Richard Jones <richard@users.sourceforge.net>
parents: 876
diff changeset
212 ''' Create some Permissions and Roles on the security object
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
213
877
7d41d4dae378 this could work...
Richard Jones <richard@users.sourceforge.net>
parents: 876
diff changeset
214 This function is directly invoked by security.Security.__init__()
7d41d4dae378 this could work...
Richard Jones <richard@users.sourceforge.net>
parents: 876
diff changeset
215 as a part of the Security object instantiation.
7d41d4dae378 this could work...
Richard Jones <richard@users.sourceforge.net>
parents: 876
diff changeset
216 '''
7d41d4dae378 this could work...
Richard Jones <richard@users.sourceforge.net>
parents: 876
diff changeset
217 newid = security.addPermission(name="Web Registration",
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
218 description="Anonymous users may register through the web")
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
219 security.addToRole('Anonymous', newid)
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
220
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
221 The instance dbinit module then has in ``open()``::
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
222
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
223 # open the database - it must be modified to init the Security class
877
7d41d4dae378 this could work...
Richard Jones <richard@users.sourceforge.net>
parents: 876
diff changeset
224 # from security.py as db.security
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
225 db = Database(instance_config, name)
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
226
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
227 # add some extra permissions and associate them with roles
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
228 ei = db.security.addPermission(name="Edit", klass="issue",
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
229 description="User is allowed to edit issues")
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
230 db.security.addPermissionToRole('User', ei)
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
231 ai = db.security.addPermission(name="View", klass="issue",
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
232 description="User is allowed to access issues")
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
233 db.security.addPermissionToRole('User', ai)
870
a3de8f9b2ede more thoughts... almost there I think
Richard Jones <richard@users.sourceforge.net>
parents: 865
diff changeset
234
876
2ccfd7fa0099 Getting closer to a good framework.
Richard Jones <richard@users.sourceforge.net>
parents: 875
diff changeset
235 In the dbinit ``init()``::
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
236
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
237 # create the two default users
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
238 user.create(username="admin", password=Password(adminpw),
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
239 address=instance_config.ADMIN_EMAIL, roles='Admin')
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
240 user.create(username="anonymous", roles='Anonymous')
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
241
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
242 Then in the code that matters, calls to ``hasPermission`` and
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
243 ``hasNodePermission`` are made to determine if the user has permission
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
244 to perform some action::
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
245
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
246 if db.security.hasPermission('issue', 'Edit', userid):
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
247 # all ok
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
248
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
249 if db.security.hasNodePermission('issue', nodeid, assignedto=userid):
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
250 # all ok
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
251
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
252 Code in the core will make use of these methods, as should code in auditors in
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
253 custom templates. The htmltemplate will implement a new tag, ``<require>``
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
254 which has the form::
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
255
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
256 <require permission="name,name,name" assignedto="$userid" status="open">
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
257 HTML to display if the user has the permission.
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
258 <else>
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
259 HTML to display if the user does not have the permission.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
260 </require>
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
261
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
262 where:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
263
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
264 - the permission attribute gives a comma-separated list of permission names.
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
265 These are checked in turn using ``hasPermission`` and requires one to
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
266 be OK.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
267 - the other attributes are lookups on the node using ``hasNodePermission``. If
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
268 the attribute value is "$userid" then the current user's userid is tested.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
269
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
270 Any of these tests must pass or the ``<require>`` check will fail. The section
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
271 of html within the side of the ``<else>`` that fails is remove from processing.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
272
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
273 Implementation as shipped
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
274 -------------------------
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
275
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
276 A set of Permissions are built in to the security module by default:
871
a4ab8fdf83a2 More (hopefully final) thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 870
diff changeset
277
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
278 - Edit (everything)
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
279 - View (everything)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
280
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
281 The default interfaces define:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
282
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
283 - Web Registration
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
284 - Email Registration
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
285
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
286 These are hooked into the default Roles:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
287
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
288 - Admin (Edit everything, View everything)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
289 - User ()
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
290 - Anonymous (Web Registration, Email Registration)
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
291
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
292 And finally, the "admin" user gets the "Admin" Role, and the "anonymous" user
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
293 gets the "Anonymous" assigned when the database is initialised on installation.
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
294 The two default schemas then define:
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
295
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
296 - Edit issue, View issue (both)
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
297 - Edit file, View file (both)
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
298 - Edit msg, View msg (both)
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
299 - Edit support, View support (extended only)
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
300
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
301 and assign those Permissions to the "User" Role. New users are assigned the
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
302 Roles defined in the config file as:
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
303
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
304 - NEW_WEB_USER_ROLES
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
305 - NEW_EMAIL_USER_ROLES
865
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
306
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
307
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
308 Authentication of Users
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
309 -----------------------
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
310
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
311 Users must be authenticated correctly for the above controls to work. This is
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
312 not done in the current mail gateway at all. Use of digital signing of
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
313 messages could alleviate this problem.
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
314
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
315 The exact mechanism of registering the digital signature should be flexible,
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
316 with perhaps a level of trust. Users who supply their signature through their
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
317 first message into the tracker should be at a lower level of trust to those
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
318 who supply their signature to an admin for submission to their user details.
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
319
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
320
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
321 Anonymous Users
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
322 ---------------
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
323
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
324 The "anonymous" user must always exist, and defines the access permissions for
907
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
325 anonymous users. The three ``ANONYMOUS_`` configuration variables are
38a74d1351c5 documentation updates
Richard Jones <richard@users.sourceforge.net>
parents: 905
diff changeset
326 subsumed by this new functionality.
902
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
327
b0d3d3535998 Bugger it. Here's the current shape of the new security implementation.
Richard Jones <richard@users.sourceforge.net>
parents: 877
diff changeset
328
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
329 Action
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
330 ======
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
331
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
332 The CGI interface must be changed to:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
333
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
334 - authenticate over a secure connection
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
335 - use unique tokens as a result of authentication, rather than pass the user's
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
336 real credentials (username/password) around for each request (this means
840
e07e5903c3b4 Updated documents
Richard Jones <richard@users.sourceforge.net>
parents: 811
diff changeset
337 sessions and hence a session database)
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
338 - use the new logical control mechanisms
875
d19dd123bda2 just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents: 871
diff changeset
339
865
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
340 - implement the permission module
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
341 - implement a Role editing interface for users
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
342 - implement htmltemplate tests on permissions
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
343 - switch all code over from using config vars for permission checks to using
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
344 permissions
905
502a5ae11cc5 Very close now. The cgi and mailgw now use the new security API.
Richard Jones <richard@users.sourceforge.net>
parents: 902
diff changeset
345 - change all explicit admin user checks for Role checks
865
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
346 - include config vars for initial Roles for anonymous web, new web and new
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
347 email users
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
348
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
349 The mail gateway must be changed to:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
350
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
351 - use digital signatures
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
352 - use the new logical control mechanisms
875
d19dd123bda2 just some formatting and a minor clarification.
Richard Jones <richard@users.sourceforge.net>
parents: 871
diff changeset
353
865
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
354 - switch all code over from using config vars for permission checks to using
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
355 permissions
261a71cb7f7f Some refinements
Richard Jones <richard@users.sourceforge.net>
parents: 840
diff changeset
356
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
357 The command-line tool must be changed to:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
358
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
359 - use the new logical control mechanisms (only allowing write
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
360 access by admin users, and read-only by everyone else)
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
361
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
362
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
363 Use cases
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
364 =========
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
365
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
366 public
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
367 end users that can submit bugs, request new features, request support
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
368 developer
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
369 developers that can fix bugs, implement new features provide support
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
370 manager
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
371 approvers/managers that can approve new features and signoff bug fixes
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
372 admin
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
373 administrators that can add users and set user's roles
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
374 system
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
375 automated request handlers running various report/escalation scripts
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
376 privacy
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
377 issues that are only visible to some users
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
378
Roundup Issue Tracker: http://roundup-tracker.org/