[Erp5-dev] limiting/preveneting invoking scripts by URL

Discussion:

[Erp5-dev] limiting/preveneting invoking scripts by URL - any good and correct way?

Łukasz Nowak

2008-11-25 11:01:42 UTC

Hello,

What is the good and correct way[tm] to prevent invoking scripts from
URL?

I saw somewhere some kind of trick:

params: REQUEST=None, **kwargs

if REQUEST is not None:
do someting, eg. raise

Is there any "official" way to have such behaviour? Are above trick do
have any flaws? Is there any better way to prevent users from invoking
scripts by URL? Some script-based security checks to do it only by
managers for example?

Regards,
Luke

--
?ukasz Nowak IT Specialist email at lnowak.com http://lnowak.com/
Skype: Shufla jid: shufla at jabster.pl
``Use the Source, Luke...'' ?My blog: http://shufla.rootnode.net/

Yoshinori Okuji

2008-11-25 20:57:40 UTC

Permalink

Post by Åukasz Nowak
Hello,
What is the good and correct way[tm] to prevent invoking scripts from
URL?

I don't think we have any generic consensus about this.

Post by Åukasz Nowak
params: REQUEST=None, **kwargs
do someting, eg. raise
Is there any "official" way to have such behaviour? Are above trick do
have any flaws? Is there any better way to prevent users from invoking
scripts by URL? Some script-based security checks to do it only by
managers for example?

Personally, I don't think it is so important to prevent invoking any script
directly from an URL. What's important is to guarantee that the script is
invoked with good parameters and a good context by an appropriate user. It
should not be critical from where it is invoked.

If you can accept this argument above, it is a matter of security and sanity
checks.

I think you may avoid the argument, only if it is too heavy to make
restrictive checks or too difficult to make sure that the conditions are sane
only by a callee. In this case, I myself prefer to write code in a Product.

Regards,
YO

--
Yoshinori Okuji, Nexedi KK President / Nexedi SA CTO
Nexedi: Consulting and Development of Free / Open Source Software
http://www.nexedi.co.jp/
ERP5: Full Featured High End Open Source ERP
http://www.erp5.com/
ERP5 Wiki: Developer Zone for ERP5 Community
http://www.erp5.org/

Vincent Pelletier

2008-11-26 08:35:01 UTC

Permalink

Post by Åukasz Nowak
What is the good and correct way[tm] to prevent invoking scripts from
URL?
params: REQUEST=None, **kwargs
do someting, eg. raise
Is there any "official" way to have such behaviour? Are above trick do
have any flaws? Is there any better way to prevent users from invoking
scripts by URL?

Just to add to the "kind of trick" list: if the script expects an object as a
parameter (not a marshalable type like ints, floats, strings, ... but more
like some persistent object) it should not be callable from URL (as long as
there is no way to pass an object via URL, of course).

But the applicable domain is restricted, and it's definitely not the "good and
correct" way you're looking for.

Post by Åukasz Nowak
Some script-based security checks to do it only by
managers for example?

That's a bit different than preventing url call. Checking security would also
raise if that script is called from another script and user calling
the "original" script (by URL) is not manager. Proxy roles on either script
should not (AFAIK) affect that check, so setting a manager proxyrole
somewhere should have no effect.

--
Vincent Pelletier