How to secure anonymous creation of class with file attrs?

Author Message

Piotrek Karaś

Tuesday 17 April 2007 12:49:16 am

Hello,

I need to make it possible for anonymous users to create objects that would become child nodes of a given tree node, but <b>will only be accessible for administrator users</b> in the admin interface. <b>The class</b>, objects of which will be added, <b>contains a file attribute</b>. How secure is it to allow this?

Here's a list of precautions I could think of:
1) I add a privilege for the anonymous role to create function with all the limitations possible, especially telling what class and parent class the creation include, by adding a special section and so on.
2) I define a hard-to-guess object name, based on several fields, including identifier attribute that increments itself automatically.
3) I prepare overrides based on the target class' identifier, which point to some empty or 'you have no business here' templates.

Would that be enough?
Maybe there is a way to verify the file?
How secure is this idea generally?

Thanks for any suggestions.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

André R.

Tuesday 17 April 2007 1:42:40 am

Seems prette secure, but this depends on whatever this is cv for john Shmo or top secret documents for the pentagon.
Instead of the things you suggested, you can also test a new 'restricted' section that no one except admins have access to.
Then grant anonymous user access to create a given class type under a given class type, and limit it under a specific node insidede the 'Restricted section'.

Then to let users create content:

<form name="signup" action="/content/action" method="post">
<input type="hidden" name="NodeID" value="MY_NODE_ID" />
<input type="hidden" name="ClassID" value="MY_CLASS_ID" />
<input type="hidden" name="ContentLanguageCode" value="eng-GB" />
<input type="hidden" name="NewButton" value="New" />
</form>
<a href="#" onclick="window.document.signup.submit();">Add Content</a>

Note1: You also have to grant them rights to read their own drafts++
Note2: You can change NewButton to type="submit" if you want a button instead of a javascript dependant link..

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Piotrek Karaś

Tuesday 17 April 2007 2:10:11 am

Definitely closer to CV (actually that's exactly what I am working on at the moment), than to top secret stuff :)

Still, I wouldn't like two things to happen:
- information/files to leak out,
- file to be used/executed to damage or hack the installation/server.

<i>Note1: You also have to grant them rights to read their own drafts++</i>
Why would I want that? I don't quite see this part.

Thanks for the suggestions.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

André R.

Tuesday 17 April 2007 5:21:59 am

>Note1: You also have to grant them rights to read their own drafts++
>Why would I want that? I don't quite see this part.

They don't, my bad :)

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Piotrek Karaś

Tuesday 17 April 2007 3:47:37 pm

We found one more thing to secure to modify or add to my list (first post).

When in /content/edit situation, path informs us the actual location of the created content, and that would be fine, but it also appends the following information automatically:
Root / My structure / Location / <b>New Name of the class</b>
That would be fine in case the form is filled in correctly. If that's not the case, if validation stops us from sending the draft for publication, then we no longer get the <b>New</b> info, instead eZ is trying to guess the object name based on the information already validated:
Root / My structure / Location / <b>cv45 Name Surname</b>
So I guess there's a pretty good chance our secret of how we construct object name is revealed.

One way to deal with it is to filter path accordingly. However, it seems that the section solution would be the best one.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.