Comments on: csSecurityTaskExtraPlugin: Untangle Complex Security Confusion

By: NiKo

NiKo — Mon, 08 Feb 2010 20:48:10 +0000

Yes, that would be a fantastic feature to have in symfony, but a little be trickier to implement.

In a first (but somewhat consequent) step, just having to type app:test-security (or more simply test:security) to check all the configured security rules against user/credentials defined in the model *automatically* would just be amazingly useful

By: admin

admin — Mon, 08 Feb 2010 20:18:32 +0000

Ahh, this is an edge case I did not consider.

As for your suggestion about automating tests, you could even have a parsible text file a la:

- Users of GROUP group can access MODULE / ACTION
- Users with PERMISSION permission cannot access MODULE ACTION
- User USERNAME can access MODULE

And automate from there. Similar to Cucumber (http://cukes.info/) for ruby, but more specialized.

By: NiKo

NiKo — Mon, 08 Feb 2010 20:15:22 +0000

Just a thing, it looks that the plugin won’t introspect security from plugins modules which are enabled in an app…

By: NiKo

NiKo — Mon, 08 Feb 2010 19:57:09 +0000

Neat. What would be great would be to have some ability to script|configure full security test suites using a matrix like the one in the task output, or a yaml file, maybe a sfSecurityTester or something approaching… The idea would be then to have web security test coverage integrated with lime results.

More fun: could be fully automated; you know the users, the groups and perms, so all user credentials; you know the required credentials configured for all controllers within an application. Iterating over all members, challenging every controller access with their credentials should be “quite easy” (well, you know what I mean here).

Random rough thoughts, handle with care.