SlideShare ist ein Scribd-Unternehmen logo

Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is?

V
Vincenzo Barone

Plone is a powerful system that allows you to create complex sites, with complex workflows and user access control. But how do you know if the site you are building really does what you expect it to do? You have workgroups that can be private, public or secret; you have documents that can be private, draft, pending or published; you have users that can be members, authors, reviewers, contributors, managers... How can you be sure that for every combination your site does what you expect? I will present the experiences of developing a complex intranet with a scenario similar to above, and show the tools we developed and the approach we used to ensure that that policy as defined by the client was what the site eventually conformed to. We built a testing system to allow the policy for a site to be easily defined and the thousands of security permutations to be effectively visualised and problem patterns spotted. The talk will also include a step by step run through of the use of the tools and a simple example of testing site policy.

Technologie
1 von 38
Downloaden Sie, um offline zu lesen
Testing Plone Site Security Policy (Is your intranet doing what you think it is?) Matt Hamilton Netsight Internet Solutions, UK understand, develop, deliver. www.netsight.co.uk
What this talk is NOT • Not talking about security vulnerabilities • Not talking about code unit testing • Not talking about penetration testing understand, develop, deliver. www.netsight.co.uk
So what IS this talk? It goes something a bit like this: understand, develop, deliver. www.netsight.co.uk
So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss understand, develop, deliver. www.netsight.co.uk
So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss Yes of course! You understand, develop, deliver. www.netsight.co.uk
So what IS this talk? understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow ➡ Users have group memberships, local roles, etc understand, develop, deliver. www.netsight.co.uk
So what IS this talk? So our site is now quite complex in terms of who should be allowed to do what and where understand, develop, deliver. www.netsight.co.uk
Our use-case understand, develop, deliver. www.netsight.co.uk
Belron.net understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
So.... understand, develop, deliver. www.netsight.co.uk
So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? understand, develop, deliver. www.netsight.co.uk
So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? • If a project is in the secret state, and I am a non-member should I be able to view the project description? understand, develop, deliver. www.netsight.co.uk
Policy decisions understand, develop, deliver. www.netsight.co.uk
Policy decisions • These are POLICY decisions for the site, not really CODE decisions. understand, develop, deliver. www.netsight.co.uk
Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders understand, develop, deliver. www.netsight.co.uk
Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders - But they will catch errors in the code or customisation understand, develop, deliver. www.netsight.co.uk
Coverage understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... • For Belron.net we had approx 1,300 tests needed understand, develop, deliver. www.netsight.co.uk
An idea... • What if there was a nice easy way to test all these different permutations in an automated way and drive it all from a manager-friendly spreadsheet and be able to visually see the results? understand, develop, deliver. www.netsight.co.uk
PolicyTestCase • Similar to PloneTestCase • Write a bunch of tests • Export a spreadsheet as CSV • Run the tests • See the results in a table understand, develop, deliver. www.netsight.co.uk
PolicyTestCase class TestDefaultPlone(PolicyTestCase): def afterSetUp(self): # Setup the state, eg workflow etc def ViewContent(self): # Test we can view the content def NoViewContent(self): # Test we can NOT view the content understand, develop, deliver. www.netsight.co.uk
PolicyTestCase def test_suite(): from unittest import TestSuite suite = TestSuite() csv = open('%s/test_scenarios_simple2.csv' % PACKAGE_HOME) suite.addTest(makeSuiteFromCSV(TestDefaultPlone, csv)) return suite understand, develop, deliver. www.netsight.co.uk
Demo Demo and walkthrough of the code understand, develop, deliver. www.netsight.co.uk
Questions? Any questions? Matt Hamilton matth@netsight.co.uk PolicyTestCase: in collective, will do a release real soon now ;) understand, develop, deliver. www.netsight.co.uk

Empfohlen

Pkk[1]
Pkk[1]Pkk[1]
Pkk[1]guesta516f4
 
Filmcamp Film3null Hillinger
Filmcamp Film3null HillingerFilmcamp Film3null Hillinger
Filmcamp Film3null HillingerNorbert Hillinger
 
Where's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneWhere's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneVincenzo Barone
 
componentes del ordenador
componentes del ordenadorcomponentes del ordenador
componentes del ordenadorerich
 
Gitb[1]
Gitb[1]Gitb[1]
Gitb[1]Carolina Contreras
 
áUstria (öSterreich)
áUstria (öSterreich)áUstria (öSterreich)
áUstria (öSterreich)guest2f91f7
 
Sally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsSally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsVincenzo Barone
 
ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...Vincenzo Barone
 

Empfohlen

Pkk[1]
Pkk[1]Pkk[1]
Pkk[1]guesta516f4
 
Filmcamp Film3null Hillinger
Filmcamp Film3null HillingerFilmcamp Film3null Hillinger
Filmcamp Film3null HillingerNorbert Hillinger
 
Where's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneWhere's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneVincenzo Barone
 
componentes del ordenador
componentes del ordenadorcomponentes del ordenador
componentes del ordenadorerich
 
Gitb[1]
Gitb[1]Gitb[1]
Gitb[1]Carolina Contreras
 
áUstria (öSterreich)
áUstria (öSterreich)áUstria (öSterreich)
áUstria (öSterreich)guest2f91f7
 
Sally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsSally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsVincenzo Barone
 
ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...Vincenzo Barone
 
How to market Plone the Web2.0 way
How to market Plone the Web2.0 wayHow to market Plone the Web2.0 way
How to market Plone the Web2.0 wayVincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupWichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupVincenzo Barone
 
Philipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodePhilipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodeVincenzo Barone
 
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Vincenzo Barone
 
Rocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedRocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedVincenzo Barone
 
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Vincenzo Barone
 
Wageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyWageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyVincenzo Barone
 
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentTom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentVincenzo Barone
 
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Vincenzo Barone
 
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Vincenzo Barone
 
Wichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureWichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureVincenzo Barone
 
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Vincenzo Barone
 
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Vincenzo Barone
 
Duncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureDuncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureVincenzo Barone
 
Jeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillJeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillVincenzo Barone
 
Jared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellJared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellVincenzo Barone
 
Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Vincenzo Barone
 
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Vincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Weitere ähnliche Inhalte

Mehr von Vincenzo Barone

How to market Plone the Web2.0 way
How to market Plone the Web2.0 wayHow to market Plone the Web2.0 way
How to market Plone the Web2.0 wayVincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupWichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupVincenzo Barone
 
Philipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodePhilipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodeVincenzo Barone
 
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Vincenzo Barone
 
Rocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedRocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedVincenzo Barone
 
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Vincenzo Barone
 
Wageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyWageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyVincenzo Barone
 
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentTom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentVincenzo Barone
 
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Vincenzo Barone
 
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Vincenzo Barone
 
Wichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureWichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureVincenzo Barone
 
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Vincenzo Barone
 
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Vincenzo Barone
 
Duncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureDuncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureVincenzo Barone
 
Jeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillJeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillVincenzo Barone
 
Jared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellJared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellVincenzo Barone
 
Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Vincenzo Barone
 
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Vincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 

Mehr von Vincenzo Barone (20)

How to market Plone the Web2.0 way
How to market Plone the Web2.0 wayHow to market Plone the Web2.0 way
How to market Plone the Web2.0 way
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
 
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupWichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
 
Philipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodePhilipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken Code
 
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
 
Rocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedRocky Burt Subtyping Unleashed
Rocky Burt Subtyping Unleashed
 
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
 
Wageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyWageindicator Foundation: a Case Study
Wageindicator Foundation: a Case Study
 
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentTom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
 
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
 
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
 
Wichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureWichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org Infrastructure
 
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
 
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
 
Duncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureDuncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And Future
 
Jeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillJeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your Will
 
Jared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellJared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ Novell
 
Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future
 
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
 

Kürzlich hochgeladen

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Kürzlich hochgeladen (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is?

  • 1. Testing Plone Site Security Policy (Is your intranet doing what you think it is?) Matt Hamilton Netsight Internet Solutions, UK understand, develop, deliver. www.netsight.co.uk
  • 2. What this talk is NOT • Not talking about security vulnerabilities • Not talking about code unit testing • Not talking about penetration testing understand, develop, deliver. www.netsight.co.uk
  • 3. So what IS this talk? It goes something a bit like this: understand, develop, deliver. www.netsight.co.uk
  • 4. So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss understand, develop, deliver. www.netsight.co.uk
  • 5. So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss Yes of course! You understand, develop, deliver. www.netsight.co.uk
  • 6. So what IS this talk? understand, develop, deliver. www.netsight.co.uk
  • 7. So what IS this talk? • But is it really?! Lets think about this: understand, develop, deliver. www.netsight.co.uk
  • 8. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone understand, develop, deliver. www.netsight.co.uk
  • 9. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types understand, develop, deliver. www.netsight.co.uk
  • 10. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow understand, develop, deliver. www.netsight.co.uk
  • 11. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow ➡ Users have group memberships, local roles, etc understand, develop, deliver. www.netsight.co.uk
  • 12. So what IS this talk? So our site is now quite complex in terms of who should be allowed to do what and where understand, develop, deliver. www.netsight.co.uk
  • 13. Our use-case understand, develop, deliver. www.netsight.co.uk
  • 15. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ understand, develop, deliver. www.netsight.co.uk
  • 16. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects understand, develop, deliver. www.netsight.co.uk
  • 17. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret understand, develop, deliver. www.netsight.co.uk
  • 18. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager understand, develop, deliver. www.netsight.co.uk
  • 19. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
  • 20. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
  • 22. So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? understand, develop, deliver. www.netsight.co.uk
  • 23. So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? • If a project is in the secret state, and I am a non-member should I be able to view the project description? understand, develop, deliver. www.netsight.co.uk
  • 24. Policy decisions understand, develop, deliver. www.netsight.co.uk
  • 25. Policy decisions • These are POLICY decisions for the site, not really CODE decisions. understand, develop, deliver. www.netsight.co.uk
  • 26. Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders understand, develop, deliver. www.netsight.co.uk
  • 27. Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders - But they will catch errors in the code or customisation understand, develop, deliver. www.netsight.co.uk
  • 29. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations understand, develop, deliver. www.netsight.co.uk
  • 30. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations understand, develop, deliver. www.netsight.co.uk
  • 31. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... understand, develop, deliver. www.netsight.co.uk
  • 32. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... • For Belron.net we had approx 1,300 tests needed understand, develop, deliver. www.netsight.co.uk
  • 33. An idea... • What if there was a nice easy way to test all these different permutations in an automated way and drive it all from a manager-friendly spreadsheet and be able to visually see the results? understand, develop, deliver. www.netsight.co.uk
  • 34. PolicyTestCase • Similar to PloneTestCase • Write a bunch of tests • Export a spreadsheet as CSV • Run the tests • See the results in a table understand, develop, deliver. www.netsight.co.uk
  • 35. PolicyTestCase class TestDefaultPlone(PolicyTestCase): def afterSetUp(self): # Setup the state, eg workflow etc def ViewContent(self): # Test we can view the content def NoViewContent(self): # Test we can NOT view the content understand, develop, deliver. www.netsight.co.uk
  • 36. PolicyTestCase def test_suite(): from unittest import TestSuite suite = TestSuite() csv = open('%s/test_scenarios_simple2.csv' % PACKAGE_HOME) suite.addTest(makeSuiteFromCSV(TestDefaultPlone, csv)) return suite understand, develop, deliver. www.netsight.co.uk
  • 37. Demo Demo and walkthrough of the code understand, develop, deliver. www.netsight.co.uk
  • 38. Questions? Any questions? Matt Hamilton matth@netsight.co.uk PolicyTestCase: in collective, will do a release real soon now ;) understand, develop, deliver. www.netsight.co.uk