[Cubicweb] Security on CubicWeb

aurélien campéas aurelien.campeas at gmail.com
Wed Jan 2 12:40:42 CET 2013

Hello Celso & others,

First, Happy new CubicWeb year :)

Throwing hastily some notes ...

I think the security "story" of CubicWeb is just excellent, provided you
inhibit the out-of-the-box html format for RichStrings.
(the ReST format might be problematic also)

Barring that, security in cubicweb is essentially a matter of schema &
logic design.

It gives you a basic group-based security mechanism that you can build upon.
Then, generalized security through E/RRQLExpressions in __permissions__ (in
entities and relation definitions) give an untold amount of flexibility.

Provided you define security very strictly at the schema level, you almost
need nothing in the (default) ui side of things. Even though people find
some "breach" (iow, bug) ui-wise that would seem to give permission to
forbidden operations, they won't be able to bypass any of the schema-level

What must never be done is to build security at the ui/html generation
level. Users always find ways around them.

a) build security in the schema, each part tested with unit/functional tests
b) teach your application's ui (e.g. actions) the missing bits, using the
security API (that asks the schema)

This is how security is built in cubicweb and also how you should build it
in your apps.

The really missing part is a good chapter in the cubicweb book ...
You can already guess some of this perusing the photo gallery tutorial,
esp. http://docs.cubicweb.org/tutorials/advanced/part02_security.html ...

The hard part will be:

* define a security model for your app. (not trivial, esp. if you never did
it before, as there are infinitely many possible models)
* implement & unit/func test it thoroughly (we should really write down how
to do it esp. wrt debugging)

I'm looking forward to some kind of "security benchmark" ...


2013/1/2 Celso FLORES <celso.flores at crealibre.com>

> Thanks Nico,
> We will have a meeting this week at Mexico to see what kind of test would
> they be performing on CW.
> Any info related, will be certainly useful.
> BTW :
> Feliz Año a todos !
> 2012/12/29 Nicolas Chauvat <nicolas.chauvat at logilab.fr>
>> Hi Celso,
>> On Mon, Dec 24, 2012 at 12:39:28PM +0100, Celso FLORES wrote:
>> > We did have a meeting with our clients, in which they arise the question
>> > about security in CubicWeb.
>> Work was done on this topic more than a year ago before data.bnf.fr
>> was put into production. I think it was Arthur who did that work. Just
>> wait for Adrien to come back from vacation and he should be able to
>> help you out.
>> I agree that having a least some shared guidelines about how to
>> conduct the security tests would be nice.
>> --
>> Nicolas Chauvat
>> logilab.fr - services en informatique scientifique et gestion de
>> connaissances
> --
> Celso FLORES
> Knowledge Management Consultant
> Mx. 044 81 80 75 04 73
> celso.flores at crealibre.com        Skype: jcelsoflores
> _______________________________________________
> Cubicweb mailing list
> Cubicweb at lists.cubicweb.org
> http://lists.cubicweb.org/mailman/listinfo/cubicweb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20130102/bf8e7bfc/attachment-0186.html>

More information about the Cubicweb mailing list