SlideShare une entreprise Scribd logo

Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is?

V
Vincenzo Barone

Plone is a powerful system that allows you to create complex sites, with complex workflows and user access control. But how do you know if the site you are building really does what you expect it to do? You have workgroups that can be private, public or secret; you have documents that can be private, draft, pending or published; you have users that can be members, authors, reviewers, contributors, managers... How can you be sure that for every combination your site does what you expect? I will present the experiences of developing a complex intranet with a scenario similar to above, and show the tools we developed and the approach we used to ensure that that policy as defined by the client was what the site eventually conformed to. We built a testing system to allow the policy for a site to be easily defined and the thousands of security permutations to be effectively visualised and problem patterns spotted. The talk will also include a step by step run through of the use of the tools and a simple example of testing site policy.

Technologie
1  sur  38
Télécharger pour lire hors ligne
Testing Plone Site Security Policy (Is your intranet doing what you think it is?) Matt Hamilton Netsight Internet Solutions, UK understand, develop, deliver. www.netsight.co.uk
What this talk is NOT • Not talking about security vulnerabilities • Not talking about code unit testing • Not talking about penetration testing understand, develop, deliver. www.netsight.co.uk
So what IS this talk? It goes something a bit like this: understand, develop, deliver. www.netsight.co.uk
So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss understand, develop, deliver. www.netsight.co.uk
So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss Yes of course! You understand, develop, deliver. www.netsight.co.uk
So what IS this talk? understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow understand, develop, deliver. www.netsight.co.uk
So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow ➡ Users have group memberships, local roles, etc understand, develop, deliver. www.netsight.co.uk
So what IS this talk? So our site is now quite complex in terms of who should be allowed to do what and where understand, develop, deliver. www.netsight.co.uk
Our use-case understand, develop, deliver. www.netsight.co.uk
Belron.net understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
So.... understand, develop, deliver. www.netsight.co.uk
So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? understand, develop, deliver. www.netsight.co.uk
So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? • If a project is in the secret state, and I am a non-member should I be able to view the project description? understand, develop, deliver. www.netsight.co.uk
Policy decisions understand, develop, deliver. www.netsight.co.uk
Policy decisions • These are POLICY decisions for the site, not really CODE decisions. understand, develop, deliver. www.netsight.co.uk
Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders understand, develop, deliver. www.netsight.co.uk
Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders - But they will catch errors in the code or customisation understand, develop, deliver. www.netsight.co.uk
Coverage understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... understand, develop, deliver. www.netsight.co.uk
Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... • For Belron.net we had approx 1,300 tests needed understand, develop, deliver. www.netsight.co.uk
An idea... • What if there was a nice easy way to test all these different permutations in an automated way and drive it all from a manager-friendly spreadsheet and be able to visually see the results? understand, develop, deliver. www.netsight.co.uk
PolicyTestCase • Similar to PloneTestCase • Write a bunch of tests • Export a spreadsheet as CSV • Run the tests • See the results in a table understand, develop, deliver. www.netsight.co.uk
PolicyTestCase class TestDefaultPlone(PolicyTestCase): def afterSetUp(self): # Setup the state, eg workflow etc def ViewContent(self): # Test we can view the content def NoViewContent(self): # Test we can NOT view the content understand, develop, deliver. www.netsight.co.uk
PolicyTestCase def test_suite(): from unittest import TestSuite suite = TestSuite() csv = open('%s/test_scenarios_simple2.csv' % PACKAGE_HOME) suite.addTest(makeSuiteFromCSV(TestDefaultPlone, csv)) return suite understand, develop, deliver. www.netsight.co.uk
Demo Demo and walkthrough of the code understand, develop, deliver. www.netsight.co.uk
Questions? Any questions? Matt Hamilton matth@netsight.co.uk PolicyTestCase: in collective, will do a release real soon now ;) understand, develop, deliver. www.netsight.co.uk

Recommandé

Pkk[1]
Pkk[1]Pkk[1]
Pkk[1]guesta516f4
 
Filmcamp Film3null Hillinger
Filmcamp Film3null HillingerFilmcamp Film3null Hillinger
Filmcamp Film3null HillingerNorbert Hillinger
 
Where's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneWhere's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneVincenzo Barone
 
componentes del ordenador
componentes del ordenadorcomponentes del ordenador
componentes del ordenadorerich
 
Gitb[1]
Gitb[1]Gitb[1]
Gitb[1]Carolina Contreras
 
áUstria (öSterreich)
áUstria (öSterreich)áUstria (öSterreich)
áUstria (öSterreich)guest2f91f7
 
Sally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsSally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsVincenzo Barone
 
ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...Vincenzo Barone
 

Recommandé

Pkk[1]
Pkk[1]Pkk[1]
Pkk[1]guesta516f4
 
Filmcamp Film3null Hillinger
Filmcamp Film3null HillingerFilmcamp Film3null Hillinger
Filmcamp Film3null HillingerNorbert Hillinger
 
Where's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneWhere's the source, Luke? : How to find and debug the code behind Plone
Where's the source, Luke? : How to find and debug the code behind PloneVincenzo Barone
 
componentes del ordenador
componentes del ordenadorcomponentes del ordenador
componentes del ordenadorerich
 
Gitb[1]
Gitb[1]Gitb[1]
Gitb[1]Carolina Contreras
 
áUstria (öSterreich)
áUstria (öSterreich)áUstria (öSterreich)
áUstria (öSterreich)guest2f91f7
 
Sally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsSally Kleinfeldt - Plone Application Development Patterns
Sally Kleinfeldt - Plone Application Development PatternsVincenzo Barone
 
ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...ItalianSkin: an improvement in the accessibility of the Plone interface in or...
ItalianSkin: an improvement in the accessibility of the Plone interface in or...Vincenzo Barone
 
How to market Plone the Web2.0 way
How to market Plone the Web2.0 wayHow to market Plone the Web2.0 way
How to market Plone the Web2.0 wayVincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupWichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupVincenzo Barone
 
Philipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodePhilipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodeVincenzo Barone
 
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Vincenzo Barone
 
Rocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedRocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedVincenzo Barone
 
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Vincenzo Barone
 
Wageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyWageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyVincenzo Barone
 
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentTom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentVincenzo Barone
 
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Vincenzo Barone
 
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Vincenzo Barone
 
Wichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureWichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureVincenzo Barone
 
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Vincenzo Barone
 
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Vincenzo Barone
 
Duncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureDuncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureVincenzo Barone
 
Jeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillJeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillVincenzo Barone
 
Jared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellJared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellVincenzo Barone
 
Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Vincenzo Barone
 
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Vincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 

Contenu connexe

Plus de Vincenzo Barone

How to market Plone the Web2.0 way
How to market Plone the Web2.0 wayHow to market Plone the Web2.0 way
How to market Plone the Web2.0 wayVincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupWichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupVincenzo Barone
 
Philipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodePhilipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodeVincenzo Barone
 
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Vincenzo Barone
 
Rocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedRocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedVincenzo Barone
 
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Vincenzo Barone
 
Wageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyWageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyVincenzo Barone
 
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentTom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentVincenzo Barone
 
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Vincenzo Barone
 
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Vincenzo Barone
 
Wichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureWichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureVincenzo Barone
 
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Vincenzo Barone
 
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Vincenzo Barone
 
Duncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureDuncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureVincenzo Barone
 
Jeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillJeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillVincenzo Barone
 
Jared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellJared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellVincenzo Barone
 
Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Vincenzo Barone
 
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Vincenzo Barone
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Vincenzo Barone
 

Plus de Vincenzo Barone (20)

How to market Plone the Web2.0 way
How to market Plone the Web2.0 wayHow to market Plone the Web2.0 way
How to market Plone the Web2.0 way
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
 
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org SetupWichert Akkerman Plone Deployment Practices The Plone.Org Setup
Wichert Akkerman Plone Deployment Practices The Plone.Org Setup
 
Philipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken CodePhilipp Von Weitershausen Untested Code Is Broken Code
Philipp Von Weitershausen Untested Code Is Broken Code
 
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
Duco Dokter - Plone for the enterprise market: technical musing on caching, C...
 
Rocky Burt Subtyping Unleashed
Rocky Burt Subtyping UnleashedRocky Burt Subtyping Unleashed
Rocky Burt Subtyping Unleashed
 
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
Alec Mitchell Relationship Building Defining And Querying Complex Relatio...
 
Wageindicator Foundation: a Case Study
Wageindicator Foundation: a Case StudyWageindicator Foundation: a Case Study
Wageindicator Foundation: a Case Study
 
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product DevelopmentTom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
Tom Lazar Using Zope3 Views And Viewlets For Plone 3.0 Product Development
 
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
Xavier Heymans Plone Gov Plone In The Public Sector. Panel Presenting The...
 
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
Brent Lambert Plone In Education A Case Study Of The Use Of Plone And Educa...
 
Wichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org InfrastructureWichert Akkerman - Plone.Org Infrastructure
Wichert Akkerman - Plone.Org Infrastructure
 
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
Philipp Von Weitershausen Plone Age Mammoths, Sabers And Caveen Cant The...
 
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips Denis Mishunov Making Plone Theme 10 Most Wanted Tips
Denis Mishunov Making Plone Theme 10 Most Wanted Tips
 
Duncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And FutureDuncan Booth Kupu, Past Present And Future
Duncan Booth Kupu, Past Present And Future
 
Jeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your WillJeroen Vloothuis Bend Kss To Your Will
Jeroen Vloothuis Bend Kss To Your Will
 
Jared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ NovellJared Whitlock Open Source In The Enterprise Plone @ Novell
Jared Whitlock Open Source In The Enterprise Plone @ Novell
 
Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future Paul Everitt Community And Foundation Plones Past, Present, Future
Paul Everitt Community And Foundation Plones Past, Present, Future
 
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
Thomas Moroz Open Source And The Open Society Using Plone To Build Commun...
 
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)Lennart Regebro What Zope Did Wrong (And What To Do Instead)
Lennart Regebro What Zope Did Wrong (And What To Do Instead)
 

Dernier

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 

Dernier (20)

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 

Testing Plone Site Security Policy - Is Your Intranet Doing What You Think It Is?

  • 1. Testing Plone Site Security Policy (Is your intranet doing what you think it is?) Matt Hamilton Netsight Internet Solutions, UK understand, develop, deliver. www.netsight.co.uk
  • 2. What this talk is NOT • Not talking about security vulnerabilities • Not talking about code unit testing • Not talking about penetration testing understand, develop, deliver. www.netsight.co.uk
  • 3. So what IS this talk? It goes something a bit like this: understand, develop, deliver. www.netsight.co.uk
  • 4. So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss understand, develop, deliver. www.netsight.co.uk
  • 5. So what IS this talk? It goes something a bit like this: Is our intranet secure? Boss Yes of course! You understand, develop, deliver. www.netsight.co.uk
  • 6. So what IS this talk? understand, develop, deliver. www.netsight.co.uk
  • 7. So what IS this talk? • But is it really?! Lets think about this: understand, develop, deliver. www.netsight.co.uk
  • 8. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone understand, develop, deliver. www.netsight.co.uk
  • 9. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types understand, develop, deliver. www.netsight.co.uk
  • 10. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow understand, develop, deliver. www.netsight.co.uk
  • 11. So what IS this talk? • But is it really?! Lets think about this: ➡ You installed Plone ➡ You created a set of custom content types ➡ You created a custom workflow ➡ Users have group memberships, local roles, etc understand, develop, deliver. www.netsight.co.uk
  • 12. So what IS this talk? So our site is now quite complex in terms of who should be allowed to do what and where understand, develop, deliver. www.netsight.co.uk
  • 13. Our use-case understand, develop, deliver. www.netsight.co.uk
  • 15. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ understand, develop, deliver. www.netsight.co.uk
  • 16. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects understand, develop, deliver. www.netsight.co.uk
  • 17. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret understand, develop, deliver. www.netsight.co.uk
  • 18. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager understand, develop, deliver. www.netsight.co.uk
  • 19. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
  • 20. Belron.net • Belron.net Intranet is based around ‘Projects’ and ‘Groups’ - Users have local membership and roles of individual groups and projects - Projects may be in various ‘states’: Public, Private, Secret - Users have local roles to their project: Member, Contributor, Reviewer, Owner, Manager - Content within a project may be in various states: Private, Draft, Pending, Published understand, develop, deliver. www.netsight.co.uk
  • 22. So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? understand, develop, deliver. www.netsight.co.uk
  • 23. So.... • If a piece of content is in the pending state, in a private project, in which I am a member and contributor, should I be able to edit it? • If a project is in the secret state, and I am a non-member should I be able to view the project description? understand, develop, deliver. www.netsight.co.uk
  • 24. Policy decisions understand, develop, deliver. www.netsight.co.uk
  • 25. Policy decisions • These are POLICY decisions for the site, not really CODE decisions. understand, develop, deliver. www.netsight.co.uk
  • 26. Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders understand, develop, deliver. www.netsight.co.uk
  • 27. Policy decisions • These are POLICY decisions for the site, not really CODE decisions. - ie. these are high level objectives set by analysts/managers not coders - But they will catch errors in the code or customisation understand, develop, deliver. www.netsight.co.uk
  • 29. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations understand, develop, deliver. www.netsight.co.uk
  • 30. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations understand, develop, deliver. www.netsight.co.uk
  • 31. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... understand, develop, deliver. www.netsight.co.uk
  • 32. Coverage • So, we have 3 project states x 5 local roles x 4 content states = 60 permutations • oh... and in Plone Owner has special meaning on a piece of content... so 120 permutations • And for each one we want to test: can I View, Edit, List, Delete, Add.... • For Belron.net we had approx 1,300 tests needed understand, develop, deliver. www.netsight.co.uk
  • 33. An idea... • What if there was a nice easy way to test all these different permutations in an automated way and drive it all from a manager-friendly spreadsheet and be able to visually see the results? understand, develop, deliver. www.netsight.co.uk
  • 34. PolicyTestCase • Similar to PloneTestCase • Write a bunch of tests • Export a spreadsheet as CSV • Run the tests • See the results in a table understand, develop, deliver. www.netsight.co.uk
  • 35. PolicyTestCase class TestDefaultPlone(PolicyTestCase): def afterSetUp(self): # Setup the state, eg workflow etc def ViewContent(self): # Test we can view the content def NoViewContent(self): # Test we can NOT view the content understand, develop, deliver. www.netsight.co.uk
  • 36. PolicyTestCase def test_suite(): from unittest import TestSuite suite = TestSuite() csv = open('%s/test_scenarios_simple2.csv' % PACKAGE_HOME) suite.addTest(makeSuiteFromCSV(TestDefaultPlone, csv)) return suite understand, develop, deliver. www.netsight.co.uk
  • 37. Demo Demo and walkthrough of the code understand, develop, deliver. www.netsight.co.uk
  • 38. Questions? Any questions? Matt Hamilton matth@netsight.co.uk PolicyTestCase: in collective, will do a release real soon now ;) understand, develop, deliver. www.netsight.co.uk