{ "info": { "author": "Maurits van Rees", "author_email": "m.van.rees@zestsoftware.nl", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Environment :: Web Environment", "Framework :: Plone", "Framework :: Plone :: 4.3", "Framework :: Plone :: 5.1", "License :: OSI Approved :: GNU General Public License v2 (GPLv2)", "Operating System :: OS Independent", "Programming Language :: Python", "Programming Language :: Python :: 2.7" ], "description": ".. This README is meant for consumption by humans and pypi. Pypi can render rst files so please do not use Sphinx features.\n If you want to learn more about writing documentation, please check out: http://docs.plone.org/about/documentation_styleguide.html\n This text does not appear on pypi. It is a comment.\n\ncollective.denyroles\n====================\n\nThis is a monkey patch for PAS (``PluggableAuthService``).\nIt denies access to Plone Sites for users with roles like Manager or Editor.\n\n\nFeatures\n--------\n\n- A patch for the PAS ``_authorizeUser`` method that checks the roles of the user, and gives no authorization when some roles are found.\n\n- Configuration via environment variables or request headers to see if the check should be done.\n\n\nUse case\n--------\n\nYou have a Plone Site on two domains:\n\n- edit.example.local is for editing.\n Users with the Editor or Manager role login here to edit and manage the site.\n This is a local domain that can only be reached within your local network or a VPN.\n\n- www.example.org is for anonymous users and maybe also for standard Members without extra roles.\n This domain is protected by a special firewall to prevent common web attacks like\n dubious form submissions, request flooding, spammers, cross site scripting attacks, etcetera.\n\nProblems:\n\n- Editors sometimes login to the public domain,\n and get errors during editing because the firewall is too protective.\n\n- The system administrator complains that he has setup a special domain for editing and managing,\n so that no changes can come in from the public site,\n and yet unexpectedly the editors can login and make changes via the public site anyway.\n\nThis package gives you options to prevent users with some global roles from accessing the (public) site.\nTo be more precise: they will be treated as anonymous.\nWhen they try to login, the login process will fail.\n\n\nInstallation\n------------\n\nInstall collective.denyroles by adding it to your buildout::\n\n [buildout]\n\n ...\n\n eggs =\n collective.denyroles\n\n\nand then running ``bin/buildout``.\nIt is immediately active, without needing activation within the Plone Site.\n\nYou may need some more configuration in your buildout config.\nSee the next section.\n\n\nConfiguration\n-------------\n\nThe roles that are denied access, can be seen in ``src/collective/denyroles/config.py``.\nWe might make this configurable at some point.\nCurrently they are:\n\n- Manager\n- Site Administrator\n- Editor\n- Reviewer\n- Contributor\n\nThere are two ways to configure whether the roles should be checked or not:\nvia environment variables or via request headers.\n\n\nEnvironment variables\n~~~~~~~~~~~~~~~~~~~~~\n\nYou can set an environment variable to always deny the roles::\n\n export DENY_ROLES=1\n\nSet this to 1 (or another positive integer) for yes, and 0 for no.\nAny other values will be ignored.\n\nNote that the OS environment can be different when you manually start your Plone instance or start it in a cronjob.\nSo it is better to set this in your Plone ``buildout.cfg``::\n\n [instance]\n recipe = plone.recipe.zope2instance\n environment-vars =\n DENY_ROLES 1\n\nRun the buildout and it will be set in the Plone config,\nin this case in ``parts/instance/etc/zope.conf``.\n\nThe environment variable is useful when the roles should be checked for *all* traffic to this Plone instance.\nIf you have a ZEO setup with two zeoclients, where one zeoclient gets all traffic from editors, and another gets the anonymous visitors, you can do this:\n\n- zeoclient for editors: ``DENY_ROLES 0``\n- zeoclient for anonymous: ``DENY_ROLES 1``\n\nNow editors can edit normally in their edit environment.\nAnd when they accidentally login on the anonymous environment, they will be treated as anonymous.\n\n\nRequest headers\n~~~~~~~~~~~~~~~\n\nWhen the environment variable is *not set at all*, or set to an invalid value, we check the request headers.\nWe have two headers, to sidestep problems when a hacker manages to insert a header::\n\n X_DO_CHECK_ROLES\n X_DONT_CHECK_ROLES\n\nThe default when the environment variable is not set, and no headers are present, is to deny the roles.\nSo:\n\n- When none of these headers are set, we deny access to editors.\n\n- When ``X_DO_CHECK_ROLES`` is set, we deny access to editors.\n\n- When ``X_DONT_CHECK_ROLES`` is set, we allow access to all roles.\n\n- When both headers are set, ``X_DO_CHECK_ROLES`` wins, and we deny access to editors.\n\nThe approach with request headers is useful when you have a single zeoclient that handles all traffic for two different domains.\nThe web server (like nginx or Apache) should then add a header, depending on which domain the traffic comes in:\n\n- For the edit domain: ``X_DONT_CHECK_ROLES``\n\n- Optionally for the public domain: ``X_DO_CHECK_ROLES``.\n This is to make it explicit.\n Also, it helps when you are not sure if a hacker may be able to insert the other header.\n\nThe value does not matter, as long as the request header with this name exists,\nbut 1 seems a good value.\n\n\nSuggested buildout usage\n------------------------\n\nThis is a suggestion on how to properly add this in a buildout.\nNote that this focuses on configuring collective.denyroles, and ignores lots of other useful settings::\n\n [zeoclient]\n # Configuration for public zeoclient.\n recipe = plone.recipe.zope2instance\n http-address = 8080\n zeo-client = on\n eggs =\n Plone\n collective.denyroles\n # Environment variables shared by all zeoclients:\n base-environment-vars =\n zope_i18n_compile_mo_files true\n environment-vars =\n ${:base-environment-vars}\n # In the public zeoclient, we deny access to editors/managers:\n DENY_ROLES 1\n\n [zeoclient-cms]\n # Second Plone zeoclient, only used for CMS, so for editors.\n # The next weird line means: inherit all settings from the [zeoclient] section:\n <= zeoclient\n # Use a different port:\n http-address = 8090\n environment-vars =\n ${:base-environment-vars}\n # In the CMS zeoclient, we do not want to deny access to editors/managers:\n DENY_ROLES 0\n\n [instance]\n # Standalone Plone instance without ZEO setup, for local development.\n <= zeoclient\n zeo-client = off\n environment-vars =\n ${:base-environment-vars}\n # With single instance, we do not want to deny access to editors/managers:\n DENY_ROLES 0\n\n\nSupport\n-------\n\nIf you are having issues, please let us know.\nContact Maurits van Rees at Zest Software, m.van.rees@zestsoftware.nl.\nOr open an issue in `GitHub `_.\n\n\nLicense\n-------\n\nThe project is licensed under the GPLv2.\n\n\nContributors\n============\n\n- Maurits van Rees, m.van.rees@zestsoftware.nl\n\n\nChangelog\n=========\n\n\n1.0.0b2 (2019-09-17)\n--------------------\n\n- Fixed PyPI description. [maurits]\n\n\n1.0.0b1 (2019-09-17)\n--------------------\n\n- Initial release.\n [maurits]", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/collective/collective.denyroles/", "keywords": "Python Plone", "license": "GPL version 2", "maintainer": "", "maintainer_email": "", "name": "collective.denyroles", "package_url": "https://pypi.org/project/collective.denyroles/", "platform": "", "project_url": "https://pypi.org/project/collective.denyroles/", "project_urls": { "Homepage": "https://github.com/collective/collective.denyroles/" }, "release_url": "https://pypi.org/project/collective.denyroles/1.0.0b2/", "requires_dist": null, "requires_python": "", "summary": "Plone PAS patch for denying access to editors and managers", "version": "1.0.0b2" }, "last_serial": 5840946, "releases": { "1.0.0b1": [ { "comment_text": "", "digests": { "md5": "473b54ac35bcd0936340ecd8b0249379", "sha256": "4d0c0b7c8df378879c204f2393856cdf15495331f211993b2fe7402747a049fc" }, "downloads": -1, "filename": "collective.denyroles-1.0.0b1.tar.gz", "has_sig": false, "md5_digest": "473b54ac35bcd0936340ecd8b0249379", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17314, "upload_time": "2019-09-17T10:27:19", "url": "https://files.pythonhosted.org/packages/fc/a5/2035c2693f21f72154b29cda871054126c1b7c2b75e6936d5b431a247dec/collective.denyroles-1.0.0b1.tar.gz" } ], "1.0.0b2": [ { "comment_text": "", "digests": { "md5": "df8da2705638b77d50ca0230f1869d88", "sha256": "57d7f87a5781fdc77eda3666d77e38052042d629913061da2e8bda799af5da9e" }, "downloads": -1, "filename": "collective.denyroles-1.0.0b2.tar.gz", "has_sig": false, "md5_digest": "df8da2705638b77d50ca0230f1869d88", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17351, "upload_time": "2019-09-17T10:29:42", "url": "https://files.pythonhosted.org/packages/9f/24/550c2d1de9551ac149218b69671c78df9f31018fa435107937f8e4b1522c/collective.denyroles-1.0.0b2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "df8da2705638b77d50ca0230f1869d88", "sha256": "57d7f87a5781fdc77eda3666d77e38052042d629913061da2e8bda799af5da9e" }, "downloads": -1, "filename": "collective.denyroles-1.0.0b2.tar.gz", "has_sig": false, "md5_digest": "df8da2705638b77d50ca0230f1869d88", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17351, "upload_time": "2019-09-17T10:29:42", "url": "https://files.pythonhosted.org/packages/9f/24/550c2d1de9551ac149218b69671c78df9f31018fa435107937f8e4b1522c/collective.denyroles-1.0.0b2.tar.gz" } ] }