|
object method ACLs
Bug #0016
|
Reported by Sean Middleditch 
Jul 31st, 2009 at 3:28pm UTC
This is a critical feature we need before 1.0, because of issues with user-supplied templates on multi-user web applications.
Basically, any method on an object can be called by a Sugar template. So if objects that have destructive methods (->delete(), ->addComment(), ->reassign(), whatever) are exported to a template then the template can do far more than just display object properties and method results.
When templates are only supplied by the application developers and designers, this isn't a huge problem. The developers aren't usually in the business of hacking their own apps. However, some systems allow other users to upload templates (for example, a CMS system) and in these cases we need to protect the application from potentially malicious users and designers.
The basic idea I have in mind is to allow the application developer to supply a user-defined method ACL function to the Sugar object. If set, any method call will be passed through this function for approval. Developers can then add lists of known-safe methods (or if they prefer and don't mind the risk of false-negatives, lists of known-unsafe methods) to make sure that destructive methods cannot be invoked by templates.
It could be extended to allow access controls for reading properties as well, I suppose.
Basically, any method on an object can be called by a Sugar template. So if objects that have destructive methods (->delete(), ->addComment(), ->reassign(), whatever) are exported to a template then the template can do far more than just display object properties and method results.
When templates are only supplied by the application developers and designers, this isn't a huge problem. The developers aren't usually in the business of hacking their own apps. However, some systems allow other users to upload templates (for example, a CMS system) and in these cases we need to protect the application from potentially malicious users and designers.
The basic idea I have in mind is to allow the application developer to supply a user-defined method ACL function to the Sugar object. If set, any method call will be passed through this function for approval. Developers can then add lists of known-safe methods (or if they prefer and don't mind the risk of false-negatives, lists of known-unsafe methods) to make sure that destructive methods cannot be invoked by templates.
It could be extended to allow access controls for reading properties as well, I suppose.
Comment from Sean Middleditch
Aug 29th, 2009 at 6:00am
Feature added in 0.81.
Additional Comments: