Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

Collapse
31: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!) (response to 1)
Posted by Barry Books on 05/29/04 10:12 PM
I created an sudo package and added this to request-processor-procs.tcl 
 
 #####
    #
    # Make sure the user is authorized to make this request.
    #
    #####
    sudo::checkauth -url [ad_conn extra_url]

    if { ![empty_string_p [ad_conn object_id]] } {
      ad_try {
        switch -glob [ad_conn extra_url] {
            admin/* {
              permission::require_permission -object_id [ad_conn object_id] -pri
vilege admin
wrote this function 
namespace eval sudo {
        ad_proc checkauth { -url } {} {

                ns_log Notice "sudo login $url"
                if { $url eq "admin/" } {
                set val ""
                if { [catch {set val [ad_get_signed_cookie sudo]} err] == 1 } {
                        set val ""
                }
                if { $val eq "" } {
                        ns_log Notice "sudo login $err"
                        ad_returnredirect "/sudo/login"
                        ad_script_abort
                }
                }
        }

        ad_proc addurl { -url } {} {
        }

}
copy acs-subsite/lib/login and added this 
} -after_submit {

    # We're logged in
    set age 300
    set key 300
   ad_set_signed_cookie -signature_max_age $age sudo $key
ds_comment "cookie"

    # Handle account_message
and now I have to re-authenticate every 5 minutes to get to /admin

Obviously not complete but it works