[Mailman-Developers] Authorization System in Core

Sat May 21 18:54:04 EDT 2016

On 05/22/2016 12:08 AM, Harshit Bansal wrote:
> Hi Simon,
> This is the discussion that I was referring to:
> 
> Harshit Bansal writes:
> 
>  > I think the "Permissions Systems" would have nothing to do with the
>  > core. It would be related to Postorius. We will have to create a style
>  > model separately in Postorius which would store the style name and the
>  > user who created it. Then only the user who has created the style
>  > would be granted the permission to edit it.
> 
> Stephen J. Turnbull wrote:
> 
> Then there is no *permissions* system!  For example, one project last
> year created a Javascript client -- that would completely bypass the
> "permissions" system as you describe it.  You could imagine that style
> changes are a "friendly users" feature, and so the "style owner"
> system would be a *safety* feature of the Postorius UI rather than an
> *authorization* feature of styles.  But in an enterprise context (eg,
> a virtual hosting service), I'm sure that users will think of it as an
> authorization system.  While at present it seems unlikely that there
> would be multiple interfaces on one hosting service, you never know
> what users will do[1].  Also, it would not be obvious to somebody who
> installed the node.js Mailman client that they are likely bypassing
> "security" as documented in the typical Mailman manuals and tutorials
> that you would find on the web.
> 
> Thanks,
> Harshit Bansal
> 
>>Hi,
>>Earlier, while discussing the permission system for manging styles, it
>>was
>>decided that the permissions system should be enforced in the core
>>rather
>>than in the postorius since otherwise it can be bypassed(deliberately
>>or
>>undeliberately). But one thing that I think I forgot to discuss was
>>that
>>currently there is no authorisation system in the core and now I am
>>unable
>>to figure out that how could the permissions be enforced in the core
>>without an authorisation system.
>>Should I workout an authorisation system for the core first or enforce
>>permissions in postorius only?

After reading this and your proposal, I'm wondering why you want to add
the permission system in postorius.

You are storing the styles in core, and grant permissions based on
list/domain/site ownerships. All this information is in core.

Currently mailmanclient exposes everything, not caring about
permissions. You have admin rights, whoever uses mailmanclient has to
manage access on their own.

We currently have @list_moderator_required that we use in postorius. We
are not doing anything with domain or site owners, but they should be
pretty easy to implement.

While in theory it would be possible to enforce permissions in core
about who is allowed to call specific rest calls, this would require a
lot of changes. I'm not sure we want to go this way.

There are some things in core, that suggest that this might come
sometime. (Users have passwords and you can authenticate them)
But I guess this is somewhat legacy and will be dropped sometime in the
future.