CallbackAuthenticationPolicy/ACLAuthorizationPolicy and group names
71 views
Skip to first unread message
Przemyslaw Wegrzyn
Jul 5, 2012, 7:56:53 PM7/5/12
to pylons-...@googlegroups.com
Hi!
Let me share one thought that just occured to me while looking at
ACLAuthorizationPolicy source code.
The thing is - the list of principals returned by authentication policy
is basically a list of strings - for users logged in it contains
'system.Authenticated', user ID (as returned by authenticated_userid
call) and a list of principals returned by a callback given to policy
object constructor.
Various Pyramid tutorials I've seen so far recommend prefixing group
names like e.g. 'group:editors'. But still the user name and group names
are thrown into the same list. In a system where a user can choose
arbitrary login, she can choose 'group:editors' and effectively gain
some extra privileges.
Of course, it should be enough to filter the allowed user names properly
(which is a good idea anyway), but mixing user and prefixed group names
in the same namespace doesn't seem very secure to me. I think it could
also be fine to prefix all user names (as returned from
unauthenticated_userid()) with 'user:' prefix (or similar), thus making
it impossible to introduce a user name that matches a prefixed group name.
Perhaps I overlooked something? Perhaps it's at least worth documenting
(unless I'm totally wrong, of course)?
BR,
Przemek
Let me share one thought that just occured to me while looking at
ACLAuthorizationPolicy source code.
The thing is - the list of principals returned by authentication policy
is basically a list of strings - for users logged in it contains
'system.Authenticated', user ID (as returned by authenticated_userid
call) and a list of principals returned by a callback given to policy
object constructor.
Various Pyramid tutorials I've seen so far recommend prefixing group
names like e.g. 'group:editors'. But still the user name and group names
are thrown into the same list. In a system where a user can choose
arbitrary login, she can choose 'group:editors' and effectively gain
some extra privileges.
Of course, it should be enough to filter the allowed user names properly
(which is a good idea anyway), but mixing user and prefixed group names
in the same namespace doesn't seem very secure to me. I think it could
also be fine to prefix all user names (as returned from
unauthenticated_userid()) with 'user:' prefix (or similar), thus making
it impossible to introduce a user name that matches a prefixed group name.
Perhaps I overlooked something? Perhaps it's at least worth documenting
(unless I'm totally wrong, of course)?
BR,
Przemek
Daniel Holth
Jul 6, 2012, 9:59:58 AM7/6/12
to pylons-...@googlegroups.com
I like to prefix my user names with user: for that reason. That way the tricky user is 'user:group:admin'
Przemyslaw Wegrzyn
Jul 9, 2012, 4:22:26 AM7/9/12
to pylons-...@googlegroups.com
On 06/07/12 15:59, Daniel Holth wrote:
> I like to prefix my user names with user: for that reason. That way
> the tricky user is 'user:group:admin'
Thanks! I'm glad to see it's not only my concern. I think it should
> I like to prefix my user names with user: for that reason. That way
> the tricky user is 'user:group:admin'
really be well explained in the manual, anyway.
BR,
Przemek
Reply all
Reply to author
Forward
0 new messages