## page was renamed from FeatureRequest/SecurityRules ## page was renamed from CategoryFeatureRequest/SecurityRules = Can SecurityPolicy handle multi rules ? = <> SecurityPolicy is a good idea, but it hasn't multi '''RULES'''. ||<#ff99ff> :D Play this patch. [[MoinMoinPatch/SecurityRules]] || == SecurityPolicy and SecurityRules == {{attachment:sr.png}} reference * [[http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html|apache mod_access]] * [[http://www.netfilter.org|iptables]] In Unix world, ACL is a very common control. that control how to access system resource and what is the way to access the system resource. ACL system is like Security``Policy. ACL has more rules. {{{ #!python class SecurityPolicy: def get_security_rules(self): return [security_rule_a, security_rule_b] }}} security_rule define a pattern. let Moin``Moin to check it. {{{ #!python class security_rules: def check_pattern(self, request, attr): if request match pattern about attr: return True else: return False class security_rule_a(security_rules): .... }}} And the rule have a '''JUMP''' like ( accept / Drop ) or ( allow / Deny ) or more . ( What is '''JUMP''' ? Please see man 8 iptables. ) maybe you can rewrite the code like this. {{{ #!python class security_rules: def __init__(self, request, jump): self.jump = jump def check_pattern(self, request, attr): if request match pattern about attr: return self.jump else: return None }}} ||<#33ffaa> :-? This logic is like apache or iptables. || == policy in Iptables == If you reference iptables rules, it has policy. What is it ? I define that: policy is the last rule in iptables's channel. In here, I suggest use Moin``Moin's acl_rights_default to be policy. so: {{{ #!python class security_policy: def get_security_rules(self): return [security_rule_a, security_rule_b, security_rule_moin_acl] }}} == Reference to Apache's mod_access == If you reference to mod_access, It was ordering by ALLOW and DENY, If the httpd.conf setting is like this {{{ order allow,deny }}} see the deny items first. {{{ order deny,allow }}} see the allow items first. ||<#ff99ff> I suggest follow the iptables logic, it is easy for codeing. || = What problem in here ? = 1. moin_acl maybe need to rewrite. 1. How to handle Moin``Moin.util.antispam and Old SecurityPolicy Object. 1. What about attr of save ? ( this is diff of read,write,... ) 1. Do People like this ? == Solutions == If you handle it. you need to modify the Moin``Moin/security.py . * I think follow this code logic, Is it a good idea ?! <:( * In Moin``Moin/multiconfig.py {{{ #!python import MoinMoin.securityrule as SecurityRule ... class DefaultConfig: ... security_rules = [{'rule' :SecurityRule.vaild_user, "is_non": 0, 'write': 0}] security_rules_fifo = 0 ... }}} * In Moin``Moin/security.py {{attachment:security.py}} * Moin``Moin/securityrule.py {{attachment:securityrule.py}} * wikiconfig.py {{{ #!python from MoinMoin.util.antispam import SecurityPolicy }}} == Above case == * If the user isn't valid then disable write. * If the user is valid, then check the ACL again. * If the ACL don't give him write: then he cann't write * else: then he can write. * check spam ||<#ddffdd> :D Yes, I know this case is easy done by acl, ( But don't easy done in SecurityPolicy. And you can thank more about it!) || ||<#aaffaa> :-? I will give you the using case, later. || == Using Case == This is some using case by security_rules. I think, this is very useful. === Allow Google, Yahoo, Baidu and MSN to read your moin === This is my security_rule to allow the search engine to read moin. This is in Moin``Moin/securityrule.py {{{ #!python class google_yahoo(security_rules_obj): def match_rule(self): if self.request.http_user_agent in [ 'Baiduspider+(+http://www.baidu.com/search/spider.htm)', 'Googlebot/2.1 (+http://www.google.com/bot.html)', 'Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)', 'Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html)', 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)', 'msnbot/1.0 (+http://search.msn.com/msnbot.htm)', ]: return 1 }}} === I don't like FlashGet === {{{ #!python class flashget(security_rules_obj): def match_rule(self): if self.request.http_user_agent in [ 'FlashGet', ]: return 1 }}} === I want Member can write under His name subpages === {{{ #!python class user_subpages(security_rules_obj): def match_rule(self): if self.user.valid and self.request.page.page_name.startswith(self.name): return 1 else: return 0 }}} === This is my wikiconfig.py === {{{ #!python import MoinMoin.securityrule as SecurityRule security_rules = [{"rule": SecurityRule.google_yahoo, 'read': 1}, {"rule": SecurityRule.flashget, 'read': 0, 'write': 0}, {"rule": SecurityRule.user_subpages, 'write': 1, 'read': 1}, ] }}} == Discussion == You do not really need this if you use python inheritance. I think the following should solve your issue (haven't tested it ;-) ). -- RobertSeeger <> {{{ #!python from MoinMoin.security import Permissions from MoinMoin.util.antispam import SecurityPolicy as AntiSpamPolicy class Config(...): class SecurityPolicy(AntiSpamPolicy): def write(self, pagename, **kw): return self.request.user.valid }}} Yes, I known it. but if I have more then two rules ? -- FrankieChow <> === summary of purpose? === It is hard to understand what this feature request is all about. Perhaps a bit more overview could be useful. I think I see what you are attempting, but please correct me. Here's my best interpretation: The term '''rule''' as you've used it is really more like a kind of security test, or an access control system. For instance the ACL is one such system or rule. The antispam stuff is a different one, and so on. What you are doing is allowing the wiki to be configured to have any number of such systems, as a list. This is perhaps more flexible than relying on inheritance as a way to combin multiple access systems. Then when evaluating permissions you seem to just scan that list (security_rules[]) looking for "rules" which supports the given attribute, such as "write", "read", etc. Also you look for the presence of a similarly named attribute, such as "write_non_continue". Then you only return the ''last'' rule which has the given attribute, but you stop scanning the rules list at the first _non_continue one. Is that basically correct? One question I have is why not return a lambda which instead evaluates ALL the matching rules and not just the last one? - -- DeronMeranda <> Just For Fun, and not have logic problem ( /!\ Modified -- FrankieChow <> ) -- FrankieChow <> That is, the permission is granted only if ALL the rules testing that permission type grant it. - -- DeronMeranda <> If you see the code in Moin``Moin/security.py: {{{ #!python def __getattr__(self, attr): ... request = self.request Page = self.Page if attr in request.cfg.acl_rights_valid: return lambda pagename, Page=Page, request=request, attr=attr: Page(request, pagename).getACL(request).may(request, self.name, attr) else: raise AttributeError, attr }}} When I follow this logic, I cann't testing the attr. because when the python running '''security.Default(user).__getattr__(attr)''' , it hasn't value about '''pagename''', ( maybe, it is pass by '''security.Default(user).read(pagename)''' ) so cann't test in security_rules, and find the True/False return. {{{ #!python return lambda pagename, Page=Page, request=request, attr=attr: Page(request, pagename).getACL(request).may(request, self.name, attr) }}} -- FrankieChow <> ## Tell your story here. ## What is the problem you are trying to solve? ## Is this features useful to most users or just to specific users? ---- CategoryFeatureRequest