Ticket #2154 (closed defect: duplicate)

Opened 9 years ago

Last modified 9 years ago

Tighten the job user

Reported by: gracinet Owned by: trac
Priority: P2 Milestone: CPS 3.5.1
Component: CPSUtil Version: TRUNK
Severity: critical Keywords:
Cc:

Description

Currently, the CPS job system of #2080 simply creates an unrestricted user on the fly, with the prescribed name. The user has therefore total freedom to choose a user that's not actually registered within the app. This can be really harmful for some Script (python) objects such as workflow scripts, because there are some (bypassed in zope.conf though) security checks that won't let it run.

CPSJob should at least check that the user is a CPS or Zope user. Why not directly use the correct user (with its perms then) from one of the two user folders ?

Change History

comment:1 Changed 9 years ago by gracinet

  • Owner changed from madarche to trac
  • Component changed from CPS (global) to CPSUtil
  • Severity changed from normal to critical

This one is important, you can break a site with it

comment:2 Changed 9 years ago by gracinet

  • Status changed from new to closed
  • Resolution set to duplicate

Actually a dupe of later and better explained #2173

Note: See TracTickets for help on using tickets.