[Nitro] Security problems

Michael Fellinger m.fellinger at gmail.com
Fri Nov 11 05:05:30 EST 2005

Yeah, but that would be only the old security_by_obscurity approach - you have 
to apply rules anyway what every user is allowed to see, and when you've got 
it right, you don't have to worry about users trying to visit some pages they 
shouldn't see.

but based on some thought about it, i would suggest a general security-system 
(i remember someone is building something in that direction already) like 
nitro-auth aimed to be.
So implementing a security-layer in nitro/og that is based on permissions, 
levels, roles - maybe even access-times/frequenzy (between 8-9pm | 10 
pageviews/minute) - bundling Og-objects with the security, so that one must 
have a specific aspect (everyone || >lvl9 || admin) to gain access to a 
specific object.
this would help to apply a very application-specific security.

The main-problem i see is the linkage-gap between the user-session and Og, 
since og almost never knows exactly what it is doing for whom and so doesn't 

ok, this was just a quick overview about my first thougts on this topic, maybe 
i'll add a bit more later on.

so long...

Am Freitag 11 November 2005 10:47 schrieb Emmanuel Piperakis:
> > Dear devs,
> >
> > I am wondering if anyone has found (or can find) any security problems
> > with Nitro. Moreover, If anyone can suggest any common security
> > measures that could be wrapped in a controller helper/aspect I would
> > like to know. Even urls for (authoritive) articles regarding web site
> > security would be helpful.
> I am not sure if this can be done already, but I would like the path to be
> hidden. I would like to show only the main page URI. I think it is a
> security problem if a user sees things like http://myhost.com/project/1
> The users might type /2 by himself...
> > Thanks in advance,
> > George.
> >
> >
> > --
> > http://www.gmosx.com
> > http://www.navel.gr
> > http://www.nitrohq.com
> >
> > _______________________________________________
> > Nitro-general mailing list
> > Nitro-general at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/nitro-general
> Emmanouil Piperakis (epiperak at cs.ntua.gr)
> {To explore is Human, to Create is Devine,
>   To teach is Primal, to Rule is Sin}
> _______________________________________________
> Nitro-general mailing list
> Nitro-general at rubyforge.org
> http://rubyforge.org/mailman/listinfo/nitro-general
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/nitro-general/attachments/20051111/0fd12d90/attachment.bin 

More information about the Nitro-general mailing list