[Seaside] Security (was: Seaside Development. What goes on behind the scenes?)
Cees de Groot
seaside@lists.squeakfoundation.org
2 Dec 2002 23:49:59 +0100
Derek Brans <brans@nerdonawire.com> said:
>Do capabilities at the "UI only". Only render buttons that users are
>allowed to click on. Only put text areas where users can modify data;
>put html text in others. In the "UI only" model, the models behind the
>views are bare and exposed.
>
That's a good start. In a sense, the view hands out capabilities - it's what
I'm doing in VisualWorks: for every 'active element', I register a secure
binding (128 bit random number in base32 representation becomes the HTML name
attribute). This binding is the capability that's handed to the user. If the
view hands out a binding, the user may click/alter it and no checking is done
afterwards. If the view doesn't hand out a binding, there is no way that the
user can hack its way in.
>As I'm thinking about it, it seems like capability-based security should
>really work from the model up, but that might require a lot of extra
>facade classes because everything in Smalltalk is so exposed.
>
I'm thinking mostly along the same lines: start at view generation, and slowly
work downwards into the model as far as it works. The next level I'm thinking
about is to ask the model for ValueModels (I'm using these as targets for
bindings) - depending on the user's privs, r/o or r/w variants can be handed
out.
--
Cees de Groot http://www.cdegroot.com <cg@cdegroot.com>
GnuPG 1024D/E0989E8B 0016 F679 F38D 5946 4ECD 1986 F303 937F E098 9E8B
Cogito ergo evigilo