The difference between view classes and skin templates, from a security point of view

Did some Googling for this, couldn't figure it out. Found help on the chat:

(03:31:51 PM) khink: So, does anyone else know about if ZCML-registered templates are executed with other permissions than skin templates?
(03:31:56 PM) ender_ left the room (quit: ).
(03:33:02 PM) optilude: khink: templates for views (such as those registered with browser:page) are considered filesystem code
(03:33:08 PM) optilude: so they are not executed in restrictedpython
(03:33:13 PM) optilude: and so you can do whatever you want there
(03:33:19 PM) optilude: they still have a view permission, obviously
(03:33:28 PM) khink: optilude: But permission restrictions should apply, right?
(03:33:39 PM) optilude: khink: what kind of permission restrictions do you mean?
(03:33:59 PM) cbess [n=christop@office.newmediagateway.com] entered the room.
(03:34:17 PM) khink: If I'm Anonymous, i shouldn't be able to see a field (on an AT type) which is protected by a permission, i thought.
(03:34:35 PM) khink: optilude: Permission 'Set own password', that is.
(03:34:37 PM) optilude: mmm
(03:34:45 PM) optilude: khink: you might
(03:34:59 PM) khink: It seems to happen: http://bit.ly/5mYWJ1
(03:35:00 PM) optilude: if the template accesses the data (getWhatever) then sure
(03:35:12 PM) optilude: khink: if you use the AT display widget it may make an explicit permission check
(03:35:25 PM) optilude: but basically, you can do context/getFoo with impunity
(03:35:34 PM) khink: But the same template in the skins folder does not show the field.
(03:35:44 PM) khink: That surprised me.
(03:36:09 PM) optilude: khink: because in a skin script, whenever you do traversal, zope does security
(03:36:22 PM) optilude: in filesystem code, there's no such check
(03:37:10 PM) khink: optilude: So in fact, fs code renders permissions defined on individual fields useless? 
(03:37:40 PM) optilude: no
(03:37:48 PM) optilude: they still work
(03:38:00 PM) optilude: they still stop someone from going http://mysite/foo/bar/getPassword
(03:38:11 PM) khink: optilude: true
(03:38:14 PM) optilude: or someone with ZMI access from writing a script/template TTW that accesses stuff they shouldn't
(03:38:30 PM) optilude: the zope security model is that if you have filesystem access, you're not subjected to the sandbox
(03:38:42 PM) optilude: ZCML-registered browser views (with templates or not) are filesystem code
(03:38:44 PM) optilude: you can't make them through the web
(03:39:08 PM) optilude: so you can also do things in there that you can't do in a TTW template, e.g. use the re module or access a variable starting with an underscore
(03:39:17 PM) optilude: and, importantly, you can do this:
(03:39:29 PM) optilude: tal:condition="checkPermission('Read foo', context)"
(03:39:30 PM) optilude: right
(03:39:33 PM) optilude: or do that in a view class
(03:39:36 PM) FinnArild: I have said it before, and I will say it again: I just LOVE zsyncer.
(03:39:39 PM) khink: optilude: Yes, i see the advantage of that.
(03:39:52 PM) optilude: FinnArild: blog about it
(03:39:54 PM) optilude: people don't know about it
(03:39:56 PM) khink: optilude: Thanks for explaining!

Bottom line: anyone who is allowed to use the view gets access to the data it renders. (Of course, this also means that permissions for individual fields are not checked.) So you can't rely on any pre-defined security or permission settings.

Plone as a DMS

In order to use Plone as a Document Management System, you'll want Plone to be accessible through the desktop. Users won't want do download a file from the website.

On Windows, Enfold Desktop is a nice solution, it blends in with your Folder and Network browsing. On Linux and Mac it can be accomplished with WebDav (which is available on Windows XP and 2003 Server, but ED is much nicer).

Zope has to be configured as a WebDav server. Add this to your buildout:

zope-conf-additional =
  enable-ms-author-via on
  
    address 8484
    force-connection-close off
  

See http://plone.org/documentation/how-to/webdav/ for more on Webdav and see http://svn.zope.org/Zope/trunk/src/Zope2/utilities/skel/etc/zope.conf.in?view=markup for details about configuring your Zope's settings.

When testing WebDav locally, i found that going to localhost doesn't get me anywhere: i need to specify an IP (127.0.0.1).

Changed documents are uploaded immediately. "Page" types are shown in the WebDav folder as ".html" files, but they're really just text files with an HTML part in it, so they're not easily editable for users.

Plone 3.3.2 on Lenny requires libc6-dev

Trying to buildout Plone 3.3.2 on Debian Lenny, i got this error:

/usr/lib/gcc/i486-linux-gnu/4.3.2/include-fixed/limits.h:122:61: error: limits.h: No such file or directory
...
recipe/zope2install/__init__.py", line 247, in install
    'build_ext', '-i',
AssertionError

Some googling hinted i had to install the package libc6-dev, which worked.

Edit: What possibly happened is that libc6-dev was installed before as a dependency
of some other package, which i removed. I would have been better if i'd installed build-essential from the beginning.

The SHV5 rootkit

I found out yesterday evening that my home server was cracked. This is an old desktop which runs in a cupboard in my house, and it contains no sensitive data whatsoever. Maybe that's why i've been slacking on security: I hadn't done updates for some time until i tried a dist-upgrade to Debian Lenny, mainly for fun. I had noticed some funny behaviour before, but thought nothing of it.

While dist-upgrading, i found out that the SHV5 rootkit had been installed. I found more information on this here: http://blog.gnist.org/article.php?story=hollidaycracking Still it seems they must have gained root access in order to install the rootkit, and how that happened worries me.

I thought i was secured, having at some point installed DenyHosts, having disallowed ssh root access, etcetera. Maybe the rootkit was installed before that.

Shell script for moving files to trash

(updated 06-10-2009, bottom paragraph)

Ubuntu keeps its trash in ~/.local/share/Trash/files, and stores metadata (ie. deleted from where, deleted when) in a sibling info/ folder. This script tries to move files to trash just as the file browser would do, so you can easily restore it later.

Save it as trash (or whatever you like) in your $HOME/bin folder (don't forget to chmod u+x it), and use it instead of rm.

#!/bin/bash
#
# A shell script for moving files and folders to your (Gnome) trash can, 
# allowing to restore files from the file browser.

TRASH="$HOME/.local/share/Trash/"
TRASH_FILES="$TRASH/files/"
TRASH_INFO="$TRASH/info/"
pwd=`pwd`;
until [ "$#" = "0" ];do
    fullpath=`find $pwd -maxdepth 1 -name "$1"`;
    trashinfofile="$TRASH_INFO$1.trashinfo";
    trashdate=`date +%FT%T`;
    mv $1 "$TRASH_FILES" &&
    echo "[Trash Info]
Path=$fullpath
DeletionDate=$trashdate" > "$trashinfofile" &&
    echo "Moved $fullpath to $TRASH_FILES and updated trash metadata." ||
    echo "Could not move $fullpath to $TRASH_FILES, or could not update trash metadata!";
    shift
done

Thanks to george9233 for the beginning of this script.

That was fun! But the really easy version is

sudo apt-get install trash-cli
man trash

Folders with quotas

Another step in getting control over the total size of stuff that users upload, is the quota product. It's not yet eggified, a bit old, but works fine on Plone 3.1.7. It's available from the collective at https://svn.plone.org/svn/collective/quota. I've added a Dutch translation.

Plone Dutch users' day (Gebruikersdag) talk

Here is a link to the slides of the talk i gave at the Dutch Plone users' day: Deliverance for Plone, a use case