librelist archives

« back to archive

Access control pattern for Flask + PG

Access control pattern for Flask + PG

From:
Christian Jauvin
Date:
2013-04-02 @ 03:26
Hi all,

I wrote a small article on my blog about a very minimal access control
pattern for Flask and Postgres:

http://cjauvin.blogspot.ca/2013/04/impossibly-lean-access-control-with.html

Since I'm not a Flask expert, I'd appreciate some feedback about it: does
it make sense? Is it safe enough? Could it be done in a simpler way?

Thanks,

Christian

Re: [flask] Access control pattern for Flask + PG

From:
Audrius Kažukauskas
Date:
2013-04-02 @ 19:51
Hi, Christian,

On Mon, 2013-04-01 at 23:26:52 -0400, Christian Jauvin wrote:
> I wrote a small article on my blog about a very minimal access control
> pattern for Flask and Postgres:
> 
> http://cjauvin.blogspot.ca/2013/04/impossibly-lean-access-control-with.html
> 
> Since I'm not a Flask expert, I'd appreciate some feedback about it: does
> it make sense? Is it safe enough? Could it be done in a simpler way?

Thanks for posting this, looks very interesting!  I can see this working
nicely for a smaller website with an already established userbase or an
intranet site, not sure if it would be feasible for a bigger webapp with
thousands of users.

One bit I'd do differently is exception handling, I'd use
app.errorhandler() decorator for that and return 403 status code as
well:

  @app.errorhandler(psycopg2.ProgrammingError)
  def db_access_error(e):
      msg = "..."
      return jsonify({'success': False, 'message': msg}), 403

-- 
Audrius Kažukauskas
http://neutrino.lt/

Re: [flask] Access control pattern for Flask + PG

From:
Nathan M
Date:
2013-04-02 @ 20:54
That's too static for any real use I think, as you manipulate directly the
db (ORM were created for your own good) and everything is hardcoded. How do
you add/remove/modify an user from your app ? How do you remove/modify
permission ? Ok you're lean on this particular point, but you're app will
need forever a hacker to be changed for its user permission system.
Furthemore, by using non-standard code and technics, that prevents easy
maintenance by someone else than you.

I guess if you want to jail your clients in your system, that's not an
issue at all.

Finally, some flask extensions already exist which takes care of
permissions, as Flask-security for instance.

Finally bis : on the bright side, if you're really interested in the
permission management issues, maybe there's a way to leverage the ones
offered by the db from the ORM, it doesn't looks like SqlAlchemy has it for
instance, but I may be mistaken ?

p.s : I may sound harsh, and that's partly because of my broken English,
and partly because your post reminds me of some stories from the dailywtf...


Nathan
--
/*
** "What do you despise? By this you are truly known."
**	from Manual of Muad'Dib by the Princess Irulan.
*/



On Tue, Apr 2, 2013 at 9:51 PM, Audrius Kažukauskas <audrius@neutrino.lt>wrote:

> Hi, Christian,
>
> On Mon, 2013-04-01 at 23:26:52 -0400, Christian Jauvin wrote:
> > I wrote a small article on my blog about a very minimal access control
> > pattern for Flask and Postgres:
> >
> >
> http://cjauvin.blogspot.ca/2013/04/impossibly-lean-access-control-with.html
> >
> > Since I'm not a Flask expert, I'd appreciate some feedback about it: does
> > it make sense? Is it safe enough? Could it be done in a simpler way?
>
> Thanks for posting this, looks very interesting!  I can see this working
> nicely for a smaller website with an already established userbase or an
> intranet site, not sure if it would be feasible for a bigger webapp with
> thousands of users.
>
> One bit I'd do differently is exception handling, I'd use
> app.errorhandler() decorator for that and return 403 status code as
> well:
>
>   @app.errorhandler(psycopg2.ProgrammingError)
>   def db_access_error(e):
>       msg = "..."
>       return jsonify({'success': False, 'message': msg}), 403
>
> --
> Audrius Kažukauskas
> http://neutrino.lt/
>

Re: [flask] Access control pattern for Flask + PG

From:
Teo Klestrup Röijezon
Date:
2013-04-03 @ 02:30
There are many cases where allowing the admin to dynamically add
permissions doesn't really make sense anyway. That said, I'm not sure about
how well this could work in an environment where more than one application
might have to share the same postgres server.

On 2 Apr 2013 22:56, "Nathan M" <feydaykyn@gmail.com> wrote:
>
> That's too static for any real use I think, as you manipulate directly
the db (ORM were created for your own good) and everything is hardcoded.
How do you add/remove/modify an user from your app ? How do you
remove/modify permission ? Ok you're lean on this particular point, but
you're app will need forever a hacker to be changed for its user permission
system. Furthemore, by using non-standard code and technics, that prevents
easy maintenance by someone else than you.
>
> I guess if you want to jail your clients in your system, that's not an
issue at all.
>
> Finally, some flask extensions already exist which takes care of
permissions, as Flask-security for instance.
>
> Finally bis : on the bright side, if you're really interested in the
permission management issues, maybe there's a way to leverage the ones
offered by the db from the ORM, it doesn't looks like SqlAlchemy has it for
instance, but I may be mistaken ?
>
> p.s : I may sound harsh, and that's partly because of my broken English,
and partly because your post reminds me of some stories from the dailywtf...
>
>
>
>
> Nathan
> --
> /*
> ** "What do you despise? By this you are truly known."
> ** from Manual of Muad'Dib by the Princess Irulan.
> */
>
>
>
> On Tue, Apr 2, 2013 at 9:51 PM, Audrius Kažukauskas <audrius@neutrino.lt>
wrote:
>>
>> Hi, Christian,
>>
>> On Mon, 2013-04-01 at 23:26:52 -0400, Christian Jauvin wrote:
>> > I wrote a small article on my blog about a very minimal access control
>> > pattern for Flask and Postgres:
>> >
>> >
http://cjauvin.blogspot.ca/2013/04/impossibly-lean-access-control-with.html
>> >
>> > Since I'm not a Flask expert, I'd appreciate some feedback about it:
does
>> > it make sense? Is it safe enough? Could it be done in a simpler way?
>>
>> Thanks for posting this, looks very interesting!  I can see this working
>> nicely for a smaller website with an already established userbase or an
>> intranet site, not sure if it would be feasible for a bigger webapp with
>> thousands of users.
>>
>> One bit I'd do differently is exception handling, I'd use
>> app.errorhandler() decorator for that and return 403 status code as
>> well:
>>
>>   @app.errorhandler(psycopg2.ProgrammingError)
>>   def db_access_error(e):
>>       msg = "..."
>>       return jsonify({'success': False, 'message': msg}), 403
>>
>> --
>> Audrius Kažukauskas
>> http://neutrino.lt/
>
>

Re: [flask] Access control pattern for Flask + PG

From:
Christian Jauvin
Date:
2013-04-03 @ 12:30
Thanks for the comments. I should have been clear from the start that
my intention was not (1) to provide something other than a proof of
concept, to study the idea and (2) to argue that this pattern would be
appropriate for an application with many users, requiring very
dynamical management.

In fact I must admit that I've been strongly influenced by these
arguments, that I read some years ago, about the model that I
proposed:


http://database-programmer.blogspot.ca/2009/02/comprehensive-database-security-model.html

and also about ORMs in general (this one seemed to have been somewhat
controversial):

http://database-programmer.blogspot.ca/2008/06/why-i-do-not-use-orm.html


On 2 April 2013 22:30, Teo Klestrup Röijezon <teo@nullable.se> wrote:
> There are many cases where allowing the admin to dynamically add permissions
> doesn't really make sense anyway. That said, I'm not sure about how well
> this could work in an environment where more than one application might have
> to share the same postgres server.
>
> On 2 Apr 2013 22:56, "Nathan M" <feydaykyn@gmail.com> wrote:
>>
>> That's too static for any real use I think, as you manipulate directly the
>> db (ORM were created for your own good) and everything is hardcoded. How do
>> you add/remove/modify an user from your app ? How do you remove/modify
>> permission ? Ok you're lean on this particular point, but you're app will
>> need forever a hacker to be changed for its user permission system.
>> Furthemore, by using non-standard code and technics, that prevents easy
>> maintenance by someone else than you.
>>
>> I guess if you want to jail your clients in your system, that's not an
>> issue at all.
>>
>> Finally, some flask extensions already exist which takes care of
>> permissions, as Flask-security for instance.
>>
>> Finally bis : on the bright side, if you're really interested in the
>> permission management issues, maybe there's a way to leverage the ones
>> offered by the db from the ORM, it doesn't looks like SqlAlchemy has it for
>> instance, but I may be mistaken ?
>>
>> p.s : I may sound harsh, and that's partly because of my broken English,
>> and partly because your post reminds me of some stories from the dailywtf...
>>
>>
>>
>>
>> Nathan
>> --
>> /*
>> ** "What do you despise? By this you are truly known."
>> ** from Manual of Muad'Dib by the Princess Irulan.
>> */
>>
>>
>>
>> On Tue, Apr 2, 2013 at 9:51 PM, Audrius Kažukauskas <audrius@neutrino.lt>
>> wrote:
>>>
>>> Hi, Christian,
>>>
>>> On Mon, 2013-04-01 at 23:26:52 -0400, Christian Jauvin wrote:
>>> > I wrote a small article on my blog about a very minimal access control
>>> > pattern for Flask and Postgres:
>>> >
>>> >
>>> > http://cjauvin.blogspot.ca/2013/04/impossibly-lean-access-control-with.html
>>> >
>>> > Since I'm not a Flask expert, I'd appreciate some feedback about it:
>>> > does
>>> > it make sense? Is it safe enough? Could it be done in a simpler way?
>>>
>>> Thanks for posting this, looks very interesting!  I can see this working
>>> nicely for a smaller website with an already established userbase or an
>>> intranet site, not sure if it would be feasible for a bigger webapp with
>>> thousands of users.
>>>
>>> One bit I'd do differently is exception handling, I'd use
>>> app.errorhandler() decorator for that and return 403 status code as
>>> well:
>>>
>>>   @app.errorhandler(psycopg2.ProgrammingError)
>>>   def db_access_error(e):
>>>       msg = "..."
>>>       return jsonify({'success': False, 'message': msg}), 403
>>>
>>> --
>>> Audrius Kažukauskas
>>> http://neutrino.lt/
>>
>>

Re: [flask] Access control pattern for Flask + PG

From:
Shawn Milochik
Date:
2013-04-03 @ 13:53
On Wed, Apr 3, 2013 at 8:30 AM, Christian Jauvin <cjauvin@gmail.com> wrote:
<snip>
>
> 
http://database-programmer.blogspot.ca/2009/02/comprehensive-database-security-model.html
>
<snip>


I started reading that, but the author lost all credibility for
anything security related with this quote:

   "Some applications will not contain sensitive data, and so the site
owner wants to send forgotten passwords in email -- which means the
passwords must be stored in plaintext."

Anyone who considers that to even be an option, and themselves
qualified to write about security, must be ignored by anyone who cares
about doing a good job.

Re: [flask] Access control pattern for Flask + PG

From:
Tim van Boxtel
Date:
2013-04-03 @ 14:34
1pm works for me.  I simply need to be logged into webex?

Cheers,

Tim van Boxtel

On Wed 03 Apr 2013 09:53:33 AM EDT, Shawn Milochik wrote:
> On Wed, Apr 3, 2013 at 8:30 AM, Christian Jauvin <cjauvin@gmail.com> wrote:
> <snip>
>>
>> 
http://database-programmer.blogspot.ca/2009/02/comprehensive-database-security-model.html
>>
> <snip>
>
>
> I started reading that, but the author lost all credibility for
> anything security related with this quote:
>
>     "Some applications will not contain sensitive data, and so the site
> owner wants to send forgotten passwords in email -- which means the
> passwords must be stored in plaintext."
>
> Anyone who considers that to even be an option, and themselves
> qualified to write about security, must be ignored by anyone who cares
> about doing a good job.

Re: [flask] Access control pattern for Flask + PG

From:
Nathan M
Date:
2013-04-03 @ 14:47
Interesting reads indeed, thanks !
As I said, I think your proof of concept would be more interesting with a
way to manage db users/permission at the application level (even with few
management, you want some sort of automation).



--
/*
** "What do you despise? By this you are truly known."
**	from Manual of Muad'Dib by the Princess Irulan.

*/



On Wed, Apr 3, 2013 at 2:30 PM, Christian Jauvin <cjauvin@gmail.com> wrote:

> Thanks for the comments. I should have been clear from the start that
> my intention was not (1) to provide something other than a proof of
> concept, to study the idea and (2) to argue that this pattern would be
> appropriate for an application with many users, requiring very
> dynamical management.
>
> In fact I must admit that I've been strongly influenced by these
> arguments, that I read some years ago, about the model that I
> proposed:
>
>
> 
http://database-programmer.blogspot.ca/2009/02/comprehensive-database-security-model.html
>
> and also about ORMs in general (this one seemed to have been somewhat
> controversial):
>
> http://database-programmer.blogspot.ca/2008/06/why-i-do-not-use-orm.html
>
>
> On 2 April 2013 22:30, Teo Klestrup Röijezon <teo@nullable.se> wrote:
> > There are many cases where allowing the admin to dynamically add
> permissions
> > doesn't really make sense anyway. That said, I'm not sure about how well
> > this could work in an environment where more than one application might
> have
> > to share the same postgres server.
> >
> > On 2 Apr 2013 22:56, "Nathan M" <feydaykyn@gmail.com> wrote:
> >>
> >> That's too static for any real use I think, as you manipulate directly
> the
> >> db (ORM were created for your own good) and everything is hardcoded.
> How do
> >> you add/remove/modify an user from your app ? How do you remove/modify
> >> permission ? Ok you're lean on this particular point, but you're app
> will
> >> need forever a hacker to be changed for its user permission system.
> >> Furthemore, by using non-standard code and technics, that prevents easy
> >> maintenance by someone else than you.
> >>
> >> I guess if you want to jail your clients in your system, that's not an
> >> issue at all.
> >>
> >> Finally, some flask extensions already exist which takes care of
> >> permissions, as Flask-security for instance.
> >>
> >> Finally bis : on the bright side, if you're really interested in the
> >> permission management issues, maybe there's a way to leverage the ones
> >> offered by the db from the ORM, it doesn't looks like SqlAlchemy has it
> for
> >> instance, but I may be mistaken ?
> >>
> >> p.s : I may sound harsh, and that's partly because of my broken English,
> >> and partly because your post reminds me of some stories from the
> dailywtf...
> >>
> >>
> >>
> >>
> >> Nathan
> >> --
> >> /*
> >> ** "What do you despise? By this you are truly known."
> >> ** from Manual of Muad'Dib by the Princess Irulan.
> >> */
> >>
> >>
> >>
> >> On Tue, Apr 2, 2013 at 9:51 PM, Audrius Kažukauskas <
> audrius@neutrino.lt>
> >> wrote:
> >>>
> >>> Hi, Christian,
> >>>
> >>> On Mon, 2013-04-01 at 23:26:52 -0400, Christian Jauvin wrote:
> >>> > I wrote a small article on my blog about a very minimal access
> control
> >>> > pattern for Flask and Postgres:
> >>> >
> >>> >
> >>> >
> http://cjauvin.blogspot.ca/2013/04/impossibly-lean-access-control-with.html
> >>> >
> >>> > Since I'm not a Flask expert, I'd appreciate some feedback about it:
> >>> > does
> >>> > it make sense? Is it safe enough? Could it be done in a simpler way?
> >>>
> >>> Thanks for posting this, looks very interesting!  I can see this
> working
> >>> nicely for a smaller website with an already established userbase or an
> >>> intranet site, not sure if it would be feasible for a bigger webapp
> with
> >>> thousands of users.
> >>>
> >>> One bit I'd do differently is exception handling, I'd use
> >>> app.errorhandler() decorator for that and return 403 status code as
> >>> well:
> >>>
> >>>   @app.errorhandler(psycopg2.ProgrammingError)
> >>>   def db_access_error(e):
> >>>       msg = "..."
> >>>       return jsonify({'success': False, 'message': msg}), 403
> >>>
> >>> --
> >>> Audrius Kažukauskas
> >>> http://neutrino.lt/
> >>
> >>
>