Friday, December 18, 2009

The difference between view classes and skin templates, from a security point of view

Did some Googling for this, couldn't figure it out. Found help on the chat:

(03:31:51 PM) khink: So, does anyone else know about if ZCML-registered templates are executed with other permissions than skin templates?
(03:31:56 PM) ender_ left the room (quit: ).
(03:33:02 PM) optilude: khink: templates for views (such as those registered with browser:page) are considered filesystem code
(03:33:08 PM) optilude: so they are not executed in restrictedpython
(03:33:13 PM) optilude: and so you can do whatever you want there
(03:33:19 PM) optilude: they still have a view permission, obviously
(03:33:28 PM) khink: optilude: But permission restrictions should apply, right?
(03:33:39 PM) optilude: khink: what kind of permission restrictions do you mean?
(03:33:59 PM) cbess [] entered the room.
(03:34:17 PM) khink: If I'm Anonymous, i shouldn't be able to see a field (on an AT type) which is protected by a permission, i thought.
(03:34:35 PM) khink: optilude: Permission 'Set own password', that is.
(03:34:37 PM) optilude: mmm
(03:34:45 PM) optilude: khink: you might
(03:34:59 PM) khink: It seems to happen:
(03:35:00 PM) optilude: if the template accesses the data (getWhatever) then sure
(03:35:12 PM) optilude: khink: if you use the AT display widget it may make an explicit permission check
(03:35:25 PM) optilude: but basically, you can do context/getFoo with impunity
(03:35:34 PM) khink: But the same template in the skins folder does not show the field.
(03:35:44 PM) khink: That surprised me.
(03:36:09 PM) optilude: khink: because in a skin script, whenever you do traversal, zope does security
(03:36:22 PM) optilude: in filesystem code, there's no such check
(03:37:10 PM) khink: optilude: So in fact, fs code renders permissions defined on individual fields useless?
(03:37:40 PM) optilude: no
(03:37:48 PM) optilude: they still work
(03:38:00 PM) optilude: they still stop someone from going http://mysite/foo/bar/getPassword
(03:38:11 PM) khink: optilude: true
(03:38:14 PM) optilude: or someone with ZMI access from writing a script/template TTW that accesses stuff they shouldn't
(03:38:30 PM) optilude: the zope security model is that if you have filesystem access, you're not subjected to the sandbox
(03:38:42 PM) optilude: ZCML-registered browser views (with templates or not) are filesystem code
(03:38:44 PM) optilude: you can't make them through the web
(03:39:08 PM) optilude: so you can also do things in there that you can't do in a TTW template, e.g. use the re module or access a variable starting with an underscore
(03:39:17 PM) optilude: and, importantly, you can do this:
(03:39:29 PM) optilude: tal:condition="checkPermission('Read foo', context)"
(03:39:30 PM) optilude: right
(03:39:33 PM) optilude: or do that in a view class
(03:39:36 PM) FinnArild: I have said it before, and I will say it again: I just LOVE zsyncer.
(03:39:39 PM) khink: optilude: Yes, i see the advantage of that.
(03:39:52 PM) optilude: FinnArild: blog about it
(03:39:54 PM) optilude: people don't know about it
(03:39:56 PM) khink: optilude: Thanks for explaining!

Bottom line: anyone who is allowed to use the view gets access to the data it renders. (Of course, this also means that permissions for individual fields are not checked.) So you can't rely on any pre-defined security or permission settings.

No comments: