0 user Sign-in to change your status

Security Enhancements plugin. Security Prototype

• Repository
• Download package
• Browse source

sfEnhabcedSec plugin

The sfEnhabcedSecPlugin is a symfony plugin that provides additional secuirty features above the standard security feature of symfony.

It gives three additional security methods:

• Allow access based on links that were renderd in the previous request.
• Callback into your action class for users lacking a specific credential, where you decide if the user passed / failed the test.
• Auto mode where you give the current model and base model. This can be used for row level security.

Developers

Name	Status	Email
Rotem Lev	lead	moc.liamg <<ta>> metor.vel

License

Copyright (c) 2007-2008 Rotem Lev

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Releases for sf 1.1

Join this plugin team

Other releases

Release 0.0.3 - 21/08/2008

sfEnhabcedSec plugin

The sfEnhabcedSecPlugin is a symfony plugin that provides additional secuirty features above the standard security feature of symfony.

It gives three additional security methods:

• Allow access based on links that were renderd in the previous request.
• Callback into your action class for users lacking a specific credential, where you decide if the user passed / failed the test.
• Auto mode where you give the current model and base model. This can be used for row level security.

Installation

• Install the plugin

  $ symfony plugin:install sfEnhabcedSecPlugin
  

• Enable the filter in filters.yml, insert after the security filter

  sfEnhancedSecFilter:
    class: sfEnhancedSecFilter

• Enable one or more security methods in your app.yml (optional)

  • For the link checker: render_checker

  • For the automatic checks: auto_sec

    all:
       render_checker:  true
       auto_sec:        true

Secure your application

To secure a symfony application with this plugin:

• Example of settings for sfEnhacncedSecPlugin in security.yml

  secure_check:
    model_class:  MyForm
    edit:
      function1: 
        name: checkUserCredentials
        credentails: [[root, administrator]]
        param: id
      content_verification:
        credentails: [root]
        active: true
      auto_check:
        credentails: [root]
        active: true
        assosiation:
          1:
            credentails: [administrator]
            module: Moderators
            user_param: mod_group_id
            compare_field: id
          2:
            credentails: [subscriber]
            module: Owners
            user_param: owner_id
            compare_field: id             

• Basic callback checks example:

  secure_check:
    edit:
      function1: 
        name: checkUserCredentials
        credentails: [[root, administrator]]
        param: id
      function2: 
        name: checkUserOwnership
        credentails: [root]
        param: id

  • This example will call the action class for the module whenever the edit action is called. Each function will be called by its name if the user lacks the credentilas in the credentails: setting. if the function returns true the check has been passed if the function returns false the check failed and the user will be forwarded to the default security module / action.

• Basic link checks example:

  secure_check:
    edit:
      content_verification:
         credentails: [root]
         active: true

  • This example will test for the edit action of the module if the user previously had the the uri to edit this row, if the user has the specifc credential in (credentails: ) the check is skipped.
  • Notice that even though the check is done only in the edit action all the modules and all the actions have thier links renderd and pass through the filter.
  • This method is mostly useful in case of admin generated content where its very simple to filter the results and through that filteration you will not be able to execute an action that wasnt renderd.
  • Only links and forms are checked currently.

• Auto security checks example:

  secure_check:
    model_class:  MyForm
    edit:
      auto_check:
        credentails: [root]
        active: true
        assosiation:
          1:
            credentails: [administrator]
            module: Moderators
            user_param: mod_group_id
            compare_field: id
          2:
            credentails: [subscriber]
            module: Owners
            user_param: owner_id
            compare_field: id

  • This example will run the the check for every edit action of the module if the user lacks the credentials in ( credentials: ). The current user will only need to pass one check. if in this case the user has both administrator and subscriber credentilas if he passed the first check he will not undergo the second. the (credentails: ) under the ( assosiation: ) are actually the credentails that the user has to go into this specific test.

  • Sub section:

    [yml] 1: credentails: [administrator] module: Moderators user_param: mod_group_id compare_field: id

    • This section defines database realationship, in this case the MyForm model table holdes a foregin key that will eventually lead to the Moderators table, there could be many tables along the way as long as they are all holding foregin keys from one to another. The filter will find the realationship and attempt to query the database with the correct joins to count the number of records that have the current parameters in the request for the MyForm table and at the other end have the value of the (user_param: mod_group_id) in the subscriber attribute.

    • Keep in mind that if this is to work correctly when a user logs in you will have to add the attribues Like "mod_group_id" of the current user if he is in the moderators table.

TODO

• add support for Propel 1.2