Skip to main content

A mechanism for bypass Plone security, accessing specific URLs while giving a secret token (core package)

Project description

Introduction

A product for Plone developers. You will be able to register actions on site’s contents, protected by a secret token.

Using an internal utility, or calling a provided view (@@consume-powertoken) you can run the action you have configured previously.

How to use

First of all you need the utility:

>>> from collective.powertoken.core.interfaces import IPowerTokenUtility
>>> utility = getUtility(IPowerTokenUtility)

With this you can register a new action on a site content (for example, a document):

>>> token = utility.enablePowerToken(document, 'myMagicAction')

The token must (probably) kept secret, and you must use it has you prefer (for example: develop an application that send the token by e-mail)

You can then execute the given action using the same utility:

>>> result = utility.consumeAction(document, token)

Or calling the provided view that need token and path parameters, for example:

http://myplonesite/@@consume-powertoken?token=aaaa-bbbb-cccc&path=path/to/the/content

Registering more that one action

You can also register (and then run all of theme) more that one action for a token.

>>> token = utility.enablePowerToken(document, 'myMagicAction')
>>> utility.addAction(document, token, 'myMagicAction')
>>> utility.addAction(document, token, 'aDifferentAction')

When you consume the token, all registered actions are executed in order.

>>> result = utility.consumeAction(document, token)

What action is executed?

This is only the core package so you need to look for other packages that add possible actions (or develop your own).

When you call:

>>> token = utility.enablePowerToken(document, 'myMagicAction', parameter1='foo', parameter2=5)

… you are preparing the call for an adapter called myMagicAction, saving also additional parameter provided (in a special action object, see below). Know that 3rd party adapter can require specific parameters to works.

When consumeAction is called, internally a new adapter is called:

>>> from collective.powertoken.core.interfaces import IPowerActionProvider
>>> adapter = getMultiAdapter((document, request),
...                           IPowerActionProvider,
...                           name='myMagicAction')
>>> result = adapter.doAction(action)

What to do with results (you can also don’t provide results) is under your control. Result is always a Python list with all results from all executed actions.

A list of all know action providers is available online (feel free to contribute and update this page with your own).

Special parameters

When calling enablePowerToken and you give additional parameters, they are stored in the action object:

roles

Default to empty list. Commonly when you call consumeAction you are performing an action keeping user’s privileges. Providing there a list of Zope roles will give you those roles instead. In this way, knowing a token, you can commonly perform unauthorized actions.

oneTime

Default to True. When you call consumeAction you commonly execute the action and remove the action from the action list. Instead you can configure an action that never expire the token when executed, so you can call it many times as you want (using the same token every time).

params

Default is an empty dict, automatically filled with every other keyword argument passed, commonly used by adapters.

Final security note

This product play with Zope security, potentially giving great power to users, simply knowing the secret token.

Be careful!

Authors

This product was developed by RedTurtle Technology team.

RedTurtle Technology Site

Changelog

0.1.0 (2012-01-11)

  • Initial release

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

collective.powertoken.core-0.1.0.tar.gz (17.8 kB view details)

Uploaded Source

File details

Details for the file collective.powertoken.core-0.1.0.tar.gz.

File metadata

File hashes

Hashes for collective.powertoken.core-0.1.0.tar.gz
Algorithm Hash digest
SHA256 422f9d18be3dcd2b774994719fdd5615d0bbe72718f8f23992807751e687a198
MD5 b96deaa040ac6013934c08f9df37c13b
BLAKE2b-256 8d1aa9fd629353e5d4ff1d4a3f1317d4a3bf2bb1d0fc80c99fef0471d348e7c3

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page