user authorization (with one time login) in a Python desktop application ?
Stef Mientki
stef.mientki at gmail.com
Sun Sep 27 15:21:06 EDT 2009
Tim Golden wrote:
> Steven D'Aprano wrote:
>> On Sun, 27 Sep 2009 16:11:52 +0200, Stef Mientki wrote:
>>
>>> I've a Python desktop application, running under Widows, that stores
>>> the
>>> data in a central SQLite database.
>>>
>>> Depending on the user login on the system, some of the data from the
>>> database is allowed and other data is forbidden.
>
>> What is your threat model? What are you trying to protect against?
>
>
> [... snip further stuff from Stephen, usefully requiring
> clarification if ideas from the OP ...]
>
thanks guys,
as Steven said, I'll first identify the threats,
and I'll rethink the whole situation.
( I always want to have a solution for life, independent of the actual
threats ;-)
> As a general rule within Windows, you let Windows do the
> authentication for you and you base your authorisation on
> the presence or otherwise of certain security groups in
> user's token. You can get hold of the token via -- in
> Python -- the win32security module, whose functionality
> you can supplement if needed by using the ctypes model
> to map in API functions which aren't already exposed.
>
By making use of the one time login on windows,
I'm not sure, but I guess the user environment variable "USER" should
hold the vald user,
which has probably a one-to-one relation with the SID
> The kind of thing you might do here -- altho' it obviously
> depends on your particular situation -- would be to store
> a security group's identifier (name or SID) in some sort
> of roles-or-permissions table, requiring that to perform
> function X, the user must be in group Y. A logged on user
> either is or isn't in that group.
Yes that's exactly what I'm doing, the table is stored encrypted in a
(separate) database
>
> Obviously, as was pointed out, if your users are so
> untrustworthy, they might steal or guess each other's
> logon details, but at that point you've got problems far
> more serious than merely the data your sqlite database
> represents.
The point is that usernames are published in our telephone / email lists ;-)
So the only personalization is the users password,
which is verified ones during windows logon.
I'll also study your's win32security module closer.
thanks and cheers,
Stef
>
> TJG
More information about the Python-list
mailing list