Re: [htdig] htsearch and user access


Torsten Neuer (tneuer@inwise.de)
Mon, 3 May 1999 09:28:21 +0200


According to Nathaniel Irons:
>On 5/1/99 at 2:33 PM, tneuer@inwise.de (Torsten Neuer) wrote:
>
>> Instead of parsing the output, generate a dynamic search frontend using
>> the user's id to create hidden "restrict" and/or "exclude" input fields
>> for htdearch.
>
>But if the data is interesting, and/or the users are relatively adept, I don't
>see any reason not to expect them to create their own query strings. It'll be
>trivial if all they have to do is remove an argument or two to htsearch.

It really doesn't matter if the data is "interesting" when a person has
no permission to look at it and/or use it. "Exclude"/"restrict" do not
limit the users by means of query strings. The users are still able to
create their own queries - but only in the data areas they have access to.

>Slightly safer would be adding required keywords to each successive level of
>access, so gaining higher levels of access would require additional knowledge.
>Safer still would be building separate databases around significant shifts in
>access privileges, and using the user's id to generate pointers to entirely
>different configuration files, whose location you could easily randomize every
>so often. It depends on how secure you need to be.

If the user access is limited to designated areas by password, keywords
will be extremely *unsafe* and *insecure*, thus revealing areas to those
who normally do not have the right to access them. "Exclude"/"restrict"
limits the queries to those areas where access is granted. If queries
are to be limited by special keywords, they will be revealed to users
who look at the HTML source of the query form and thus will be able to
gain access to hidden and secure areas via search queries.

Therefore limiting queries for users with different access rights, the
use of "exclude" and "restrict" is the only choice.

  Torsten

--
InWise - Wirtschaftlich-Wissenschaftlicher Internet Service GmbH
Waldhofstraße 14                            Tel: +49-4101-403605
D-25474 Ellerbek                            Fax: +49-4101-403606
E-Mail: info@inwise.de            Internet: http://www.inwise.de

------------------------------------ To unsubscribe from the htdig mailing list, send a message to htdig@htdig.org containing the single word "unsubscribe" in the SUBJECT of the message.



This archive was generated by hypermail 2.0b3 on Mon May 03 1999 - 00:45:57 PDT