![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
diff --git a/doc/security.txt b/doc/security.txt
index 41e6f140a1011e2c714e489ad28e17a86c4e6a91..10dedbab868494510de25ac9f981dd1d27ac26b4 100644 (file)
--- a/doc/security.txt
+++ b/doc/security.txt
Security Mechanisms
===================
-:Version: $Revision: 1.1 $
+:Version: $Revision: 1.16 $
Current situation
=================
ANONYMOUS_REGISTER_MAIL = 'deny'
Deny or allow anonymous users to register through the mail interface
-The web interface implements another level of user-interface security,
+Current user interface authentication and controls:
+
+- command-line tool access controlled with passwords, but no logical controls
+- CGI access is by username and password and has some logical controls
+- mailgw access is through identification using sender email address, with
+ limited functionality available
+
+The web interface implements has specific logical controls,
preventing non-admin users from accessing:
- other user's details pages
- listing the base classes (not issues or their user page)
- editing base classes
-
Issues
======
but restrict those users from accessing the web interface.
3. Only one user may perform admin functions.
4. There is no verification of users in the mail gateway by any means other
- than the From address. Support for strong signatures should be added.
+ than the From address. Support for strong identification through digital
+ signatures should be added.
+5. The command-line tool has no logical controls.
+6. The anonymous control needs revising - there should only be one way to be
+ an anonymous user, not two (currently there is user==None and
+ user=='anonymous').
Possible approaches
Security controls in Roundup could be approached in three ways:
-1) at the hyperdb level, with read/write/modify permissions on classes, nodes
- and node properties for all or specific transitions.
+1) at the hyperdb level, with read/write/modify permissions on classes, items
+ and item properties for all or specific transitions.
2) at the user interface level, with access permissions on CGI interface
methods, mailgw methods, roundup-admin methods, and so on.
3) at a logical permission level, checked as needed.
hyperdatabase itself, through Operating System controls such as user or group
permissions.
+
Hyperdb-level control
---------------------
Control is implemented at the Class.get, Class.set and Class.create level. All
-other methods must access nodes through these methods. Since all accesses go
+other methods must access items through these methods. Since all accesses go
through the database, we can implement deny by default.
Pros:
- harder to determine the relationship between user interaction and hyperdb
permission.
- a lot of work to define
+ - must special-case to handle by-item permissions (editing user details,
+ having private messages)
+
User-interface control
----------------------
- most user interfaces have multiple uses which can't be covered by a
single permission
-
Logical control
---------------
At each point that requires an action to be performed, the security mechanisms
-are asked if the current user has permission. There is no possibility to have
+are asked if the current user has permission. Since code must call the
+check function to raise a denial, there is no possibility to have automatic
default of deny in this situation.
Pros:
- quite obvious what is going on
- - is the current system
+ - is very similar to the current system
Cons:
- large number of possible permissions that may be defined, possibly
mirroring actual user interface controls.
+ - access to the hyperdb must be strictly controlled through program code
+ that implements the logical controls.
+
+
+Action
+======
+
+The CGI interface must be changed to:
+
+- authenticate over a secure connection
+- use unique tokens as a result of authentication, rather than pass the user's
+ real credentials (username/password) around for each request (this means
+ sessions and hence a session database)
+- use the new logical control mechanisms
+
+ - implement the permission module
+ - implement a Role editing interface for users
+ - implement htmltemplate tests on permissions
+ - switch all code over from using config vars for permission checks to using
+ permissions
+ - change all explicit admin user checks for Role checks
+ - include config vars for initial Roles for anonymous web, new web and new
+ email users
+
+The mail gateway must be changed to:
+
+- use digital signatures
+- use the new logical control mechanisms
+
+ - switch all code over from using config vars for permission checks to using
+ permissions
+The command-line tool must be changed to:
+- use the new logical control mechanisms (only allowing write
+ access by admin users, and read-only by everyone else)
-Applying controls to users
-==========================
-
-Individual assignment of Permission to User is unwieldy. The concept of a
-Role, which encompasses several Permissions and may be assigned to many Users,
-is quite well developed in many projects. Roundup will take this path, and
-allow the multiple assignment of Roles to Users, and multiple Permissions to
-Roles. These definitions will be stored in the hyperdb.
-
-
-Use cases
-=========
-
-public
- end users that can submit bugs, request new features, request support
-developer
- developers that can fix bugs, implement new features provide support
-manager
- approvers/managers that can approve new features and signoff bug fixes
-admin
- administrators that can add users and set user's roles
-system
- automated request handlers running various report/escalation scripts
-privacy
- issues that are only visible to some users
-
-
-Discussion
-==========
-
-Date: Thu, 2 May 2002 11:46:56 -0400
-From: David_Byrne@cisgi.com
-To: roundup-devel@lists.sourceforge.net
-I've really appreciated roundup so far. It has been very easy to create my own
-template that adds functionality for my specific purpose. One area, for my
-needs, that does not seem to be currently addressed in roundup is roles of
-users. I have various roles that the users of my instance of roundup can have.
-I have:
-
-1) end users that can submit bugs, request new features, request support.
-2) developers that can fix bugs, implement new features provide support
-3) approvers/managers that can approve new features and signoff bug fixes
-4) administrators that can add users and set users roles
-5) processors - this is isn't totally thought out yet, but for me it would be an
- automated request handler that would run various production scripts.
-
-Each of these roles need to have specific functionality within the web client
-(and possibly the email client -- but I haven't looked at that much yet). An
-example is that I don't want end users to be able to assign a specific developer
-to a problem or support issue. I think that some of my functionality can be
-implemented via the detectors, but I haven't fully researched it yet.
-
-So far, I have added a new class to the database called role which contains the
-various roles outlined above. I have added a multilink in the user class to the
-new role class. I have modified the base code in the cgi client to use the new
-admin role when checking for admin instead of using the user id. I am working
-on implementing the role for access to the individual forms and even specific
-fields on the forms. Has anyone else done this or seen a need to do this?
-
-I am planning on implementing this as an optional feature - basically the
-security will be handled in a separate module so that a site could implement the
-role functionality or exclude it by using the module that fits their needs. My
-current changes to the admin checks would be pulled out into a separate
-replaceable module. So if an implementation did not want to use roles, the
-check would just check the user id to see if it was equal to "admin". In my
-case, it would check the role of the user to see if it contained the admin role.
-
-If anyone else is interested in this, I will send the patches in when I am
-completed with this. If anyone else has worked on this (and hopefully gotten
-farther than I), please let me know.