Msaada: Software Security Issue

[Software Engineer]

Intro:
Tuna web based software application yenye watumiaji wa aina tatu
1. Admin
2. Customers
3. Guest

Customers wana proviledge ya ku create profile, contact, address, upload photo, n.k

Database ina zaidi ya table 20.

Challenge:
Tunahitaji ku assign permission logic/solution ambayo itaruhusu customer kuona content zinazomuhusu yeye tuu. Vile vile admin anatakiwa aweze kuona kila kitu. Guest users wanatakiwa waweze kuona reports zinakuwa generated na system automatically.

Je tutumie utaalamu/njia ipi ili tuweze ku-assign na ku limit permission katika application level to row level?

Current state:
Tumepitia baadhi ya solution mbali mbali e.g. HII HAPA


Tunaomba mchango wako

 

[Mtangoo]

Hiyo inategemeana na Access control katika development environment husika. Google RBAC nanuangalie relevant environment yako. Unaweza hata kuandika ya kwako

 

[MK254]

Unaweza kutumia bitwise operation na ukaandika mfumo wako kabisa. Ona hii tutorial How to write a permission system using bits and bitwise operations in PHP « Web Development - Programming - Codehead


How to write a permission system using bits and bitwise operations in PHP
I wrote this in PHP but you can use the same concept in other languages, I also assume an understanding of bits, bytes, binary to decimal conversion and vice-versa and bitwise operations on numbers like ‘or’, ‘and’ and ‘xor’ etc. if you have no idea, search and read about these first. You don’t have to be a guru but you should have an idea. Here are some pages to get you started:

Byte - Wikipedia, the free encyclopedia
Bitwise operation - Wikipedia, the free encyclopedia
PHP: Bitwise Operators - Manual
Some binary to decimal calculators to make it easier

We will use simple numbers to represent different permissions and as you might know a number is a collection of bytes. For example: an integer is usually 4 bytes. Although you don’t have to worry about the size of a number in a high level language like PHP but a little understanding of representation of numbers will help you better understand this technique.

So let’s assume when I say:

<?php

$user_perms = 7;

?>
Internally the variable $user_perms looks like this:

|0|0|0|0|0|0|0|0|0|0|0|0|0|1|1|1|

This is a 2 byte representation of number 7, although, it might not look like this internally - it looks similar. Just assume this for now.

Let’s say that your application supports 4 functions that a user can use:

1 - Post a blog post
2 - Comment on blog posts
3 - Edit posts
4 - Delete posts

Normally, you could have 4 fields in your database table (structure or whatever) for a user titled:

1 - can_post
2 - can_comment
3 - can_edit
4 - can_delete

This is not good, 4 additional fields for your user table and who knows, what if your application has 100 functions? Do you want to add 100 fields to your user table?

With bits, you can have only 1 column and track all the permissions.

1 - perms

To do this, we will have to assign numbers for each of the functions: (Tip: use one of the calculators in the above list )

1 - Post a blog post |0|0|0|0|0|0|0|1| is 1 in decimal
2 - Comment on blog posts |0|0|0|0|0|0|1|0| is 2 in decimal
3 - Edit posts |0|0|0|0|0|1|0|0| is 4 in decimal
4 - Delete posts |0|0|0|0|1|0|0|0| is 8 in decimal

So you could have an array like this:

<?php

$perms = array(
'can_post' => 1,
'can_comment' => 2,
'can_edit' => 4,
'can_delete' => 8
);

?>
Almost there, let’s look at user’s perms field now.

I hope you know about bitwise ‘or’, when you ‘or’ 1 and 1 you get 1; 0 ‘or’ 1 is 1; 1 ‘or’ 0, is 1 and finally 0 ‘or’ 0 is 0, it’s just like the meaning of ‘or’ in the English language.

Similarly, bitwise ‘and’; when you ‘and’ 1 and 1 you get 1; 0 ‘and’ 1 is 0; 1 ‘and’ 0, is 0 and finally 0 ‘and’ 0 is 0, again it’s just like the meaning of ‘or’ in the English language.

Bitwise ‘xor’; when you ‘xor’ 1 and 1 you get 0; 0 ‘xor’ 1 is 1; 1 ‘xor’ 0, is 1 and finally 0 ‘xor’ 0 is 0.

So suppose you want to give a user permissions to post a blog post, post a comment and edit posts but not delete posts, you do it like this:

<?php

$user_perms = $perms['can_post'] | $perms['can_comment'] | $perms['can_edit'];

?>
Note that, in PHP ‘|’ means ‘or’, so what just happened is something like this:

|0|0|0|0|0|0|0|1| ‘or’
|0|0|0|0|0|0|1|0| ‘or’
|0|0|0|0|0|1|0|0|
_______________________
|0|0|0|0|0|1|1|1|

Now $user_perms has the value 7 and |0|0|0|0|0|1|1|1| in it internally.

Suppose that this is on top of your post_blog.php or where ever you want to handle permissions for posting a blog, the only thing you need to do is:

<?php

if ($user_perms & $perms['can_post']) {
/* He/She has permissios to do this */
} else {
/* He/She doesn't */
}

?>
In PHP ‘&’ is for bitwise ‘and’, please also note that ‘&&’ is logical ‘and’ and doesn’t operate on individual bits.

This is exactly what just happened:

|0|0|0|0|0|1|1|1| ‘and’
|0|0|0|0|0|0|0|1|
_______________________
|0|0|0|0|0|0|0|1|

So that’s ‘one’ not ‘0′, which means ‘if’ passes and the user has permissions to do this. But when it comes to deleting posts:

<?php

if ($user_perms & $perms['can_delete']) {
/* He/She does permissios to do this */
} else {
/* He/She doesn't */
}

?>
Thus:

|0|0|0|0|0|1|1|1| ‘and’
|0|0|0|0|1|0|0|0|
_______________________
|0|0|0|0|0|0|0|0|

It’s ‘zero’ so ‘if’ fails and you show an error message or whatever it is you do.

To add ‘delete’ permissions, you use ‘or’ again:

<?php

$user_perms |= $perms['can_delete'];

?>
So this happens:

|0|0|0|0|0|1|1|1| ‘or’
|0|0|0|0|1|0|0|0|
_______________________
|0|0|0|0|1|1|1|1|

To take away permissions you use ‘xor’:

<?php

$user_perms ^= $perms['can_delete'];

?>
And this will happen:

|0|0|0|0|1|1|1|1| ‘xor’
|0|0|0|0|1|0|0|0|
_______________________
|0|0|0|0|0|1|1|1|

And delete permissions are gone!

Now let’s take away post permissions:

<?php

$user_perms ^= $perms['can_post'];

?>
Thus:

|0|0|0|0|0|1|1|1| ‘xor’
|0|0|0|0|0|0|0|1|
_______________________
|0|0|0|0|0|1|1|0|

So this was just the basics, you can build on this and do more once you understand.

I hope this post will help someone

 

[Software Engineer]

Hiyo inategemeana na Access control katika development environment husika. Google RBAC nanuangalie relevant environment yako. Unaweza hata kuandika ya kwako

Sawa mkuu. Shukrani sana.

Nadhani kuna umuhimu wa kuwa na sub forum ya kujadili changamoto kama hizi.

Au unaonaje mkuu?

 

[Software Engineer]

Unaweza kutumia bitwise operation na ukaandika mfumo wako kabisa. Ona hii tutorial How to write a permission system using bits and bitwise operations in PHP « Web Development - Programming - Codehead


How to write a permission system using bits and bitwise operations in PHP
I wrote this in PHP but you can use the same concept in other languages, I also assume an understanding of bits, bytes, binary to decimal conversion and vice-versa and bitwise operations on numbers like ‘or’, ‘and’ and ‘xor’ etc. if you have no idea, search and read about these first. You don’t have to be a guru but you should have an idea. Here are some pages to get you started:

Byte - Wikipedia, the free encyclopedia
Bitwise operation - Wikipedia, the free encyclopedia
PHP: Bitwise Operators - Manual
Some binary to decimal calculators to make it easier

We will use simple numbers to represent different permissions and as you might know a number is a collection of bytes. For example: an integer is usually 4 bytes. Although you don’t have to worry about the size of a number in a high level language like PHP but a little understanding of representation of numbers will help you better understand this technique.

So let’s assume when I say:

<?php

$user_perms = 7;

?>
Internally the variable $user_perms looks like this:

|0|0|0|0|0|0|0|0|0|0|0|0|0|1|1|1|

This is a 2 byte representation of number 7, although, it might not look like this internally - it looks similar. Just assume this for now.

Let’s say that your application supports 4 functions that a user can use:

1 - Post a blog post
2 - Comment on blog posts
3 - Edit posts
4 - Delete posts

Normally, you could have 4 fields in your database table (structure or whatever) for a user titled:

1 - can_post
2 - can_comment
3 - can_edit
4 - can_delete

This is not good, 4 additional fields for your user table and who knows, what if your application has 100 functions? Do you want to add 100 fields to your user table?

With bits, you can have only 1 column and track all the permissions.

1 - perms

To do this, we will have to assign numbers for each of the functions: (Tip: use one of the calculators in the above list )

1 - Post a blog post |0|0|0|0|0|0|0|1| is 1 in decimal
2 - Comment on blog posts |0|0|0|0|0|0|1|0| is 2 in decimal
3 - Edit posts |0|0|0|0|0|1|0|0| is 4 in decimal
4 - Delete posts |0|0|0|0|1|0|0|0| is 8 in decimal

So you could have an array like this:

<?php

$perms = array(
'can_post' => 1,
'can_comment' => 2,
'can_edit' => 4,
'can_delete' => 8
);

?>
Almost there, let’s look at user’s perms field now.

I hope you know about bitwise ‘or’, when you ‘or’ 1 and 1 you get 1; 0 ‘or’ 1 is 1; 1 ‘or’ 0, is 1 and finally 0 ‘or’ 0 is 0, it’s just like the meaning of ‘or’ in the English language.

Similarly, bitwise ‘and’; when you ‘and’ 1 and 1 you get 1; 0 ‘and’ 1 is 0; 1 ‘and’ 0, is 0 and finally 0 ‘and’ 0 is 0, again it’s just like the meaning of ‘or’ in the English language.

Bitwise ‘xor’; when you ‘xor’ 1 and 1 you get 0; 0 ‘xor’ 1 is 1; 1 ‘xor’ 0, is 1 and finally 0 ‘xor’ 0 is 0.

So suppose you want to give a user permissions to post a blog post, post a comment and edit posts but not delete posts, you do it like this:

<?php

$user_perms = $perms['can_post'] | $perms['can_comment'] | $perms['can_edit'];

?>
Note that, in PHP ‘|’ means ‘or’, so what just happened is something like this:

|0|0|0|0|0|0|0|1| ‘or’
|0|0|0|0|0|0|1|0| ‘or’
|0|0|0|0|0|1|0|0|
_______________________
|0|0|0|0|0|1|1|1|

Now $user_perms has the value 7 and |0|0|0|0|0|1|1|1| in it internally.

Suppose that this is on top of your post_blog.php or where ever you want to handle permissions for posting a blog, the only thing you need to do is:

<?php

if ($user_perms & $perms['can_post']) {
/* He/She has permissios to do this */
} else {
/* He/She doesn't */
}

?>
In PHP ‘&’ is for bitwise ‘and’, please also note that ‘&&’ is logical ‘and’ and doesn’t operate on individual bits.

This is exactly what just happened:

|0|0|0|0|0|1|1|1| ‘and’
|0|0|0|0|0|0|0|1|
_______________________
|0|0|0|0|0|0|0|1|

So that’s ‘one’ not ‘0′, which means ‘if’ passes and the user has permissions to do this. But when it comes to deleting posts:

<?php

if ($user_perms & $perms['can_delete']) {
/* He/She does permissios to do this */
} else {
/* He/She doesn't */
}

?>
Thus:

|0|0|0|0|0|1|1|1| ‘and’
|0|0|0|0|1|0|0|0|
_______________________
|0|0|0|0|0|0|0|0|

It’s ‘zero’ so ‘if’ fails and you show an error message or whatever it is you do.

To add ‘delete’ permissions, you use ‘or’ again:

<?php

$user_perms |= $perms['can_delete'];

?>
So this happens:

|0|0|0|0|0|1|1|1| ‘or’
|0|0|0|0|1|0|0|0|
_______________________
|0|0|0|0|1|1|1|1|

To take away permissions you use ‘xor’:

<?php

$user_perms ^= $perms['can_delete'];

?>
And this will happen:

|0|0|0|0|1|1|1|1| ‘xor’
|0|0|0|0|1|0|0|0|
_______________________
|0|0|0|0|0|1|1|1|

And delete permissions are gone!

Now let’s take away post permissions:

<?php

$user_perms ^= $perms['can_post'];

?>
Thus:

|0|0|0|0|0|1|1|1| ‘xor’
|0|0|0|0|0|0|0|1|
_______________________
|0|0|0|0|0|1|1|0|

So this was just the basics, you can build on this and do more once you understand.

I hope this post will help someone

Nimekusoma vizuri.

Asante sana mkuu.

 

[Kang]

Unaweza kutumia bitwise operation na ukaandika mfumo wako kabisa. Ona hii tutorial How to write a permission system using bits and bitwise operations in PHP « Web Development - Programming - Codehead


How to write a permission system using bits and bitwise operations in PHP
I wrote this in PHP but you can use the same concept in other languages, I also assume an understanding of bits, bytes, binary to decimal conversion and vice-versa and bitwise operations on numbers like ‘or’, ‘and’ and ‘xor’ etc. if you have no idea, search and read about these first. You don’t have to be a guru but you should have an idea. Here are some pages to get you started:

Byte - Wikipedia, the free encyclopedia
Bitwise operation - Wikipedia, the free encyclopedia
PHP: Bitwise Operators - Manual
Some binary to decimal calculators to make it easier

We will use simple numbers to represent different permissions and as you might know a number is a collection of bytes. For example: an integer is usually 4 bytes. Although you don’t have to worry about the size of a number in a high level language like PHP but a little understanding of representation of numbers will help you better understand this technique.

So let’s assume when I say:

<?php

$user_perms = 7;

?>
Internally the variable $user_perms looks like this:

|0|0|0|0|0|0|0|0|0|0|0|0|0|1|1|1|

This is a 2 byte representation of number 7, although, it might not look like this internally - it looks similar. Just assume this for now.

Let’s say that your application supports 4 functions that a user can use:

1 - Post a blog post
2 - Comment on blog posts
3 - Edit posts
4 - Delete posts

Normally, you could have 4 fields in your database table (structure or whatever) for a user titled:

1 - can_post
2 - can_comment
3 - can_edit
4 - can_delete

This is not good, 4 additional fields for your user table and who knows, what if your application has 100 functions? Do you want to add 100 fields to your user table?

With bits, you can have only 1 column and track all the permissions.

1 - perms

To do this, we will have to assign numbers for each of the functions: (Tip: use one of the calculators in the above list )

1 - Post a blog post |0|0|0|0|0|0|0|1| is 1 in decimal
2 - Comment on blog posts |0|0|0|0|0|0|1|0| is 2 in decimal
3 - Edit posts |0|0|0|0|0|1|0|0| is 4 in decimal
4 - Delete posts |0|0|0|0|1|0|0|0| is 8 in decimal

So you could have an array like this:

<?php

$perms = array(
'can_post' => 1,
'can_comment' => 2,
'can_edit' => 4,
'can_delete' => 8
);

?>
Almost there, let’s look at user’s perms field now.

I hope you know about bitwise ‘or’, when you ‘or’ 1 and 1 you get 1; 0 ‘or’ 1 is 1; 1 ‘or’ 0, is 1 and finally 0 ‘or’ 0 is 0, it’s just like the meaning of ‘or’ in the English language.

Similarly, bitwise ‘and’; when you ‘and’ 1 and 1 you get 1; 0 ‘and’ 1 is 0; 1 ‘and’ 0, is 0 and finally 0 ‘and’ 0 is 0, again it’s just like the meaning of ‘or’ in the English language.

Bitwise ‘xor’; when you ‘xor’ 1 and 1 you get 0; 0 ‘xor’ 1 is 1; 1 ‘xor’ 0, is 1 and finally 0 ‘xor’ 0 is 0.

So suppose you want to give a user permissions to post a blog post, post a comment and edit posts but not delete posts, you do it like this:

<?php

$user_perms = $perms['can_post'] | $perms['can_comment'] | $perms['can_edit'];

?>
Note that, in PHP ‘|’ means ‘or’, so what just happened is something like this:

|0|0|0|0|0|0|0|1| ‘or’
|0|0|0|0|0|0|1|0| ‘or’
|0|0|0|0|0|1|0|0|
_______________________
|0|0|0|0|0|1|1|1|

Now $user_perms has the value 7 and |0|0|0|0|0|1|1|1| in it internally.

Suppose that this is on top of your post_blog.php or where ever you want to handle permissions for posting a blog, the only thing you need to do is:

<?php

if ($user_perms & $perms['can_post']) {
/* He/She has permissios to do this */
} else {
/* He/She doesn't */
}

?>
In PHP ‘&’ is for bitwise ‘and’, please also note that ‘&&’ is logical ‘and’ and doesn’t operate on individual bits.

This is exactly what just happened:

|0|0|0|0|0|1|1|1| ‘and’
|0|0|0|0|0|0|0|1|
_______________________
|0|0|0|0|0|0|0|1|

So that’s ‘one’ not ‘0′, which means ‘if’ passes and the user has permissions to do this. But when it comes to deleting posts:

<?php

if ($user_perms & $perms['can_delete']) {
/* He/She does permissios to do this */
} else {
/* He/She doesn't */
}

?>
Thus:

|0|0|0|0|0|1|1|1| ‘and’
|0|0|0|0|1|0|0|0|
_______________________
|0|0|0|0|0|0|0|0|

It’s ‘zero’ so ‘if’ fails and you show an error message or whatever it is you do.

To add ‘delete’ permissions, you use ‘or’ again:

<?php

$user_perms |= $perms['can_delete'];

?>
So this happens:

|0|0|0|0|0|1|1|1| ‘or’
|0|0|0|0|1|0|0|0|
_______________________
|0|0|0|0|1|1|1|1|

To take away permissions you use ‘xor’:

<?php

$user_perms ^= $perms['can_delete'];

?>
And this will happen:

|0|0|0|0|1|1|1|1| ‘xor’
|0|0|0|0|1|0|0|0|
_______________________
|0|0|0|0|0|1|1|1|

And delete permissions are gone!

Now let’s take away post permissions:

<?php

$user_perms ^= $perms['can_post'];

?>
Thus:

|0|0|0|0|0|1|1|1| ‘xor’
|0|0|0|0|0|0|0|1|
_______________________
|0|0|0|0|0|1|1|0|

So this was just the basics, you can build on this and do more once you understand.

I hope this post will help someone

Hii looks idiotic kusema ukweli, always aim for simplicity kwenye software bora hata hiyo ya kuweka 100 columns, itakuwa more maintanable in the long run.

Nakushauri mpe kila use Role, na kutokana na Role yake katika PHP unaamua kama anaruhusiwa kuona pages fulani/functions fulani kwenye site yako.

 

[MK254]

Hii looks idiotic kusema ukweli, always aim for simplicity kwenye software bora hata hiyo ya kuweka 100 columns, itakuwa more maintanable in the long run.

Nakushauri mpe kila use Role, na kutokana na Role yake katika PHP unaamua kama anaruhusiwa kuona pages fulani/functions fulani kwenye site yako.

Looks idiotic kivipi, tumia muda wako kuisoma tena na tena utaona jinsi hii ilivyo rahisi katika kumanage CRUD security.

 

[Mtangoo]

Sawa mkuu. Shukrani sana.

Nadhani kuna umuhimu wa kuwa na sub forum ya kujadili changamoto kama hizi.

Au unaonaje mkuu?

Hilo tulishalipigia kelele ages na tulishakata tamaa.

nitumie email yako PM nikutumie some nice information useful not public yet so will not be posted here for now!

 

[MK254]

Sawa mkuu. Shukrani sana.

Nadhani kuna umuhimu wa kuwa na sub forum ya kujadili changamoto kama hizi.

Au unaonaje mkuu?

Kwa kifupi tunafaa kuwa na forum maalum ya developers, ukienda kule Nairaland ambapo mimi ni mwanachama huko, wana sub forums za developers ambazo zipo very active.

 

[Bilamungu]

Nitumie AVG latest App na key zake mkuu

 

[Software Engineer]

Kwa kifupi tunafaa kuwa na forum maalum ya developers, ukienda kule Nairaland ambapo mimi ni mwanachama huko, wana sub forums za developers ambazo zipo very active.

Yeah, ni kweli. Nitacheki Nairaland mkuu. Thanks

 

[Software Engineer]

Hilo tulishalipigia kelele ages na tulishakata tamaa.

nitumie email yako PM nikutumie some nice information useful not public yet so will not be posted here for now!

Poa mkuu

 

[NullPointer]

Intro:
Tuna web based software application yenye watumiaji wa aina tatu
1. Admin
2. Customers
3. Guest

Customers wana proviledge ya ku create profile, contact, address, upload photo, n.k

Database ina zaidi ya table 20.

Challenge:
Tunahitaji ku assign permission logic/solution ambayo itaruhusu customer kuona content zinazomuhusu yeye tuu. Vile vile admin anatakiwa aweze kuona kila kitu. Guest users wanatakiwa waweze kuona reports zinakuwa generated na system automatically.

Je tutumie utaalamu/njia ipi ili tuweze ku-assign na ku limit permission katika application level to row level?

Current state:
Tumepitia baadhi ya solution mbali mbali e.g. HII HAPA

Tunaomba mchango wako

Mkuu em nieleweshe vizuri labda nashindwa kukuelewa, kama ni web based app, kwa nini usiimodel kawaida tu kama unavyo~model websites nyingine yoyote e.g social networking? Mtu anatuma request kwenye server unarudisha results kulingana na permission yake?

 

[Brodre]

Tuanzie Hapa umetumia Language gani?

 

[No SQL]

Mi navyohis njia rahis n kutumia unique ids za database..
Mfano. User m n admin atakuwa assigned kweny tb ya admins
User x n normal user atakuwa ktk table ya members
Sasa inapotokea x kalogin.. Check table membrs...af mpe info kutka kweny tabl nyingne ambazo anaweza kuona..vivyo hvyo kwa admin...

 

[Mtangoo]

Mi navyohis njia rahis n kutumia unique ids za database..
Mfano. User m n admin atakuwa assigned kweny tb ya admins
User x n normal user atakuwa ktk table ya members
Sasa inapotokea x kalogin.. Check table membrs...af mpe info kutka kweny tabl nyingne ambazo anaweza kuona..vivyo hvyo kwa admin...

That is poor design. Ukiwa na member roles 10 maana yake table 10
Uwe na Table moja ya Users na iwe na field ya Role

 

[No SQL]

That is poor design. Ukiwa na member roles 10 maana yake table 10
Uwe na Table moja ya Users na iwe na field ya Role

Nadhan kwa kuongea hatuwezi kuelewana....ninachojarib kuelezea ndo common idea inayotumika...

 

[Mtangoo]

Nadhan kwa kuongea hatuwezi kuelewana....ninachojarib kuelezea ndo common idea inayotumika...

Unaweza toa mifano mitatu tu ya hiyo concept yako?

 

[mwandulu]

Hello,
I would recommend using database views.
IMHO, databases view are best because of several reasons but i will mention few

1. best in hiding complexity,
2. best in security mechanism such as preventing user to access which data
3. support in legacy code,
4. not platform specific solution

Why i recommend views, suppose today you have used PHP to develop and after sometime you decided to use Ruby, then you don't have to another headache how to deal with roles/ data accessibility.

Kama unataka kujaribu kutumia VIEWS ni ping, nitakusaidia bila shida.

Regards,

 

[Mtangoo]

mwandulu really? Views in this issue?