AuthenticateAsMultipleUsers of Proposals

Search | Download | Documentation | Resources | Development

Guest

Join Zope.org
Log in

Developer Home
Get Involved!
The Fishbowl
Resources
Proposals
Projects

Zope Exits

ZopeZen
Zope Newbies
Zope Labs
EuroZope
ZDP
Appwatch.com

Zope.org is sponsored by Digital Creations

Proposals Table of Contents

Last edited by jim on Apr 9, 2001 6:29 pm

FrontPage
- AuthenticateAsMultipleUsers / backlinks

Original Author

ShaneH

Problem

If a user is authenticated in a user folder below the root folder, with certain exceptions the user can not inherit rights from the root folder. To be more specific, the security machinery assumes that any user folder can give a user all the roles available to that user, even though a higher user folder might be able to grant more roles.

The exceptions to this rule include the superuser and the anonymous user. When determining whether a user is allowed access to an object, many user folder implementations check the name of the authenticated user against the name of the superuser, and if they match, a special action is taken. If a user is not allowed access to a given object, but the "anonymous" role is, access is granted in most cases.

Proposed Solution

In Zope 2.1.6 there was no way to fix this. Zope 2.2 and the new security policy module give us a new opportunity.

A user can be authenticated as more than one user at a time. When performing any security check, ZopeSecurityPolicy^x should try to grant access based on the innermost user folder. If it can't, it should try to grant access based on the next-innermost user folder, and so on until it reaches the root user folder. It should cache the users it authenticates in _context, which currently only stores one user object.

This would probably be more elegant if ZPublisher^x were modified to participate in the revised model. Currently BaseRequest^x.traverse() only stores one AUTHENTICATION_PATH and one AUTHENTICATED_USER.

Risk Factors

The meaning of AUTHENTICATED_USER and AUTHENTICATION_PATH become less clear.
User folder implementations would probably have to be changed, but they would probably become simpler because they wouldn't have to support the superuser exception anymore.

Scope

This proposal deals with user authentication as it applies to multiple user folders.

Deliverables

The modifications to the security policy that implement this proposal.
Revised documentation for user folder product authors.
The satisfaction of a job well done. :-)

jim (Apr 9, 2001 6:29 pm; Comment #1)

 >   The exceptions to this rule include the superuser and the anonymous
 >   user.  When determining whether a user is allowed access to an
 >   object, many user folder implementations check the name of the
 >   authenticated user against the name of the superuser,

Eek, an implementation that only checked names would be broken.

 >   A user can be authenticated as more than one user at a time.
 >   When performing any security check, ZopeSecurityPolicy
 >   should try to grant access based on the innermost user folder.  If
 >   it can't, it should try to grant access based on the next-innermost
 >   user folder, and so on until it reaches the root user folder.  It should
 >   cache the users it authenticates in _context, which currently only
 >   stores one user object.

A better way to fix this is to authenticate at the higher level, not the lower one. That is, during traversal, we need to authenticate as soon as we can and use the resulting identity.

served by app2