Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2207 (closed defect: fixed)

Opened 8 years ago

Last modified 8 years ago

identity.SecureObject doesn't cascade down to subcontrollers

Reported by: fetchinson Owned by: faide
Priority: highest Milestone: 1.1
Component: TurboGears Version: 1.0.8
Severity: major Keywords: security
Cc:

Description

When a subcontroller is "mounted" on a controller and this latter controller is protected by identity.SecureObject?, the methods of the subcontroller will not be protected. The only work around seems to be to wrap each and every subcontroller with identity.SecureObject? although a better solution would be to have identity.SecureObject? to cascade down automatically to every subcontroller. The problem is especially severe with catwalk. Even if the main catwalk controller is protected, the methods exposed by subcontrollers of catwalk are not, leading to serious security leakage.

Example:

class A1( RootController? ):

A2 = identity.SecureObject?( A2, identity.in_group( 'test' ) )

class A2( Controller ):

@expose( )

def meth2( self ):

return dict( )

A3 = A3( )

class A3( Controller ):

@expose( )

def meth3( self ):

return dict( )

Access to /A1/A2/meth2 is limited, as expected, by the identity.SecureObject? construction. But access to /A1/A2/A3/meth3 is not limited.

Change History

comment:1 Changed 8 years ago by faide

  • Priority changed from normal to highest
  • Severity changed from normal to major

noted...

comment:3 Changed 8 years ago by fetchinson

Mark's comment was about adding identity.SecureResource? to the base classes of the controller in question. This also doesn't help, in particular it doesn't help with catwalk. Subcontrollers' methods are still accessible without restriction.

comment:4 Changed 8 years ago by Chris Arndt

I can't confirm your last observation. Using SecurerResource as an additional base class for a controller also protects its subcontrollers. Here's an example:

class ControllerB(controllers.Controller):

    @expose()
    def meth1(self):
        return "ControllerB.meth1"

class ControllerA(controllers.Controller, identity.SecureResource):
    require = identity.not_anonymous()
    b = ControllerB()

    @expose()
    def meth1(self):
        return "ControllerA.meth1"

class Root(controllers.RootController):
    """The root controller of the application."""

    a = ControllerA()
    # ...

Can you provide a test case (i.e. actual code) where SecureResource doesn't work as it should (is documented)?

comment:5 Changed 8 years ago by Chris Arndt

  • Status changed from new to closed
  • Resolution set to fixed

Turns out, this is solely a problem in CatWalk! The CatWalk sub-controller Browse does not use controllers.Conntroller as a base class and so SecureObject does not wrap access to it in another SecureObject instance. See identity.conditions.py, line 339.

This is fixed in r6643 for all 1.x branches.

Note: See TracTickets for help on using tickets.