schooltool-developers team mailing list archive

Thread
Date

Re: Use of SchoolTool to authenticate users in pyquiz

To: Douglas Cerna <douglascerna@xxxxxxxxx>
From: Filip Sufitchi <fsufitchi@xxxxxxxxx>
Date: Thu, 26 May 2011 12:07:13 -0400
Cc: SchoolTool Developers <schooltool-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <634612.91668.qm@web59307.mail.re1.yahoo.com>

With regards to security, if the xmlrpc only responds to requests from
localhost, I agree that that should be fine. However, if it's just plain
built-in to SchoolTool, wouldn't the xmlrpc URL be available externally as
well? If so, that's a bit less secure.

Filip Sufitchi
On May 26, 2011 12:01 PM, "Douglas Cerna" <douglascerna@xxxxxxxxx> wrote:
> Justas:
>
> Jeffrey is developing an application called pyquiz to create tests for his
students using pyramid. Now, he has this requirement (sorry for flooding):
>
> Jeff Elkner: 1. user points browser at pyquiz
> Jeff Elkner: 2. clicks "login"
> Jeff Elkner: 3. types user name and password
> Jeff Elkner: 4. pyquiz asks ST, is this a valid user?
> Jeff Elkner: 5. ST says yes or no
> Jeff Elkner: if yes, user is logged in
> Jeff Elkner: if no, login fails
> Jeff Elkner: i don't want to create users in two places
> Jeff Elkner: and have to make sure they are in sync somehow
> Jeff Elkner: when a new student is added to ST
> Jeff Elkner: and put in a section
> Jeff Elkner: they can log in to pyquiz
> Jeff Elkner: with no configuration on the pyquiz side
>
> I think an easy solution is to create a small XMLRPC method publisher that
gets the person and calls checkPassword on it, returning True or False. Then
we could create an url for this method like http://server_name/xmlrpc for
pyquiz to send its login requests. If pyquiz gets True on the response, then
it creates (or looks up) a space in its database for the username.
>
> I know a very well designed mechanism should include encryption/decryption
for the requests, but these services are going to run on the same server and
I'm assuming that's secure enough.
>
> Please let me know what you think about this approach.
>
> Thanks.
> Douglas
>
> "... allí es cuando te das cuenta que las cosas malas pueden resultar
bastante buenas..." - Lionel Messi
>
> Por favor, evite enviarme adjuntos de Word, Excel o PowerPoint.
> Vea http://www.gnu.org/philosophy/no-word-attachments.es.html
>
> _______________________________________________
> Mailing list: https://launchpad.net/~schooltool-developers
> Post to : schooltool-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~schooltool-developers
> More help : https://help.launchpad.net/ListHelp

References

Use of SchoolTool to authenticate users in pyquiz
From: Douglas Cerna, 2011-05-26