|start | find | index | login or register | edit|
by earl, 6196 days agoHow To have a vanilla space that is open in principle but allows storage of kinda "confidential" information as well? - a gentle introduction to vanilla access control basics and ways to extend these mechanisms.
let's start with a quick overview of the vanilla access rights architecture. a reader in vanilla can be in one of 4 groups:
besides du-jour, which has it's own rules (only registered users and higher can comment, nothing else matters) vanilla currently provides 4 security levels:
but let's add a small piece of complexity: certain pieces of information you want to store in the space, are confidential and only associates should be able to see these snips. here's how you'd accomplish that:
non-assoc modifies to url-line to edit the snip: as only assocs are allowed to edit in read-only spaces, the user's request to edit will be declined.
transcluding the snip into another snip: no effect, as dyna execution will happen anyway.
so, now the smarter cases: vanilla has per default one selector, where dyna execution does not occur - the display-raw selector. this selector actually displays the snip's content as it is stored in vanilla's space-db. now if a real vanilla hacker would modify the url to request a display-raw on a snip with confidential information, vanilla would provide all the information wanted :)
and now you've another case why to never ever expose vanilla directories via http, so simply do not do it :) the only parts of vanilla which must reside in an http-accessible place are the CGI(-wrapper) and the according config.
so as you've seen, vanilla provides a quite simple basic set of access control which can easily enhanced by some small but useful bits. common usage scenarios can be achieved by critically assessing the options available. so before rolling your own mega ACL-based solution for vanilla (which would require in-depth knowledge of core vanilla mechanisms), have a deep look at what's already there :)
11 active users
|earl.strain.at • esa3 • online for 6770 days • c'est un vanilla site|