Zope or PHP

[Hrqls]

does anyone know Zope ?

what i heard about it is that its quite easily to create authentication protocols with it ?

what we want to do is not that difficult .. it can probably even be done in php .. but its too tough for me

below is a small schedule as what we need :

- H is the main user sysop .. who needs to have access to everything below .. he can add/change/delete any users
- the users A and B only have access to the users below them (not to the users below the other) and they can add/change/delete any users below them
- the same for the users V,W,X,Y
- at the bottom are the end users who can only use the system .. they dont have any access to the user accounts/setup

this should all be running on a remote webserver to which they dial in (even user H dials in) and on which they have to identify themselves with a username and password

Code:

           H
          / \
         /   \
        /     \
       /       \
      /         \
     A           B
    / \         / \
   /   \       /   \
  V     W     X     Y
 / \   / \   / \   / \
i   j k   l m   n o   p

is this difficult to achieve in Zope ?
is this difficult in php ?

(the problem is we are looking to hire someone to set this up andwe know noone who knows Zope (well we know one, but he is busy for the next several months), its a lot easier to find someone for hire who knows php .. but would it be just as good ?)

[sde]

what is the content that the permission heirarchy needs to be setup on? is it data, files, directories?

[Hrqls]

management of traffic lights

the users will have access to everything in the traffic automats all over the country (well only the ones ownded or placed by our company ) .. archvillains could use it to bring down all traffic lights causing chaos everywhere

so you could say that the security is a matter of life and death

(the automat has a dial up line connected to a modem connect to a pc104 board running a version of linux (dont know which from the top of my head, sorry) with a webserver, which communicates with the software running the traffic lights)

do you know zope ? or would you suggest something else ?

[bdl]

No offense, but this is kinda scary stuff, mission critical. I don't know that opensource software is exactly what you want to be running here...

[Hrqls]

agree .. its quite critical ... but cant open source also be secure ?

i thought most secure webservers were linux based ? and linux (or unix) is open source ?

[sde]

i don't know zope .. i have only picked up books at the book store on it.

sounds like a great project though =) what is wrong with open source for mission critical stuff?

[bdl]

Quote:

Originally posted by Hrqls
agree .. its quite critical ... but cant open source also be secure ?

i thought most secure webservers were linux based ? and linux (or unix) is open source ?

Well, this is a case, IMHO, where you're dealing with people's lives (potentially, not literally as in life-support systems or something) and something a little more proprietary might be better. What that would be in your case, I have no idea, sorry to say. This is like the recent problems with the MSBlaster worm where there was a problem at a nuclear power plant because their internal, mission critical network was overloaded due to the worm (and the use of Windows on that particular network). So in that case, they should have had zero access to the outside, and definitely no Windows machines on the network.

Yes, probably the majority of webservers are linux / bsd based, but at most a webserver can cause your personal info or the credit card number stolen, not wreck a dozen cars at an intersection and kill 10 people...

Again, this is just my opinion, not preaching against using PHP or other opensource applications.

[Hrqls]

yes i can see your concern ... and we are concerned as well .. and i like its very much that you are giving your thoughts about our system .. every input is of great value as we are just deciding which path to follow .. and we would like to skip any paths which could give troubles

one extra security which is built in is that the traffic automats are not directly on the internet .. you have to dial up to them and know the phone number .. which is the main security .. after that the zope/php/'something else?' will have to block the people who know the phonenumber and know how to use the webserver.

in fact its not a traffic automat which is connected to the webserver, but a dynamic ..hmm..dont know the english word.. a dynamic 'pole which rises out of the ground to block entry' .. the webserver will have access to the statistics about the detectors and the rising and dropping of the 'pole' and everything else we can detect .. also on the highest authorisaztion levels there will be some commands available to drop the 'pole' to give access to 1 car, or to drop all of them in case of emergency (when the police/firesquad/first aid/... have to entry the center of town real quick) .. also when the webserver goes down the 'poles' will drop

so its still having some effect on the traffic, but not on the ordinary traffic lights .. although that might be plans for the future .. i dont know about it yet .. they told me nothing about that yet .. but i can imagine they are thinking about it.

the market is asking for management-from-a-distance ... and we have to create & deliver it

we are trying to get as much input about the security about such systems as possible .. and love any suggestions and alternatives as well
(as we are lacking some real experience in webbased and linux and security protocols on those )

[bdl]

Interesting, so this isn't a system that actually controls the traffic lights themselves but a barracade that comes up and allows traffic to go through, like a security gate at a military base or elsewhere. Am I reading this correctly?

With this system, I don't think it's a big issue to use PHP or anything else you might want to use. You also have some obscure dial-up numbers, that helps, and you can also put the web server on a non-standard port (assuming someone does accidentally dial in with a PC) and a couple of other security methods to help secure the site (HTTP access control / ssl / PHP sessions, etc.).

If you're talking about controlling traffic lights where some cracker gets into the system and causes all the lights to turn green and 100 traffic accidents, then that's something else altogether.


Being unfamiliar with Zope, I'm looking into it just for curiosity sake. Looks interesting, although I don't see why you wouldn't be able to use PHP to do exactly what you want.

I took this from the Zope website:

Quote:

Object Orientation
Unlike common file-based Web templating systems such as ASP or PHP, Zope is a highly "object-oriented" Web development platform. Object orientation is a concept that is shared between many different programming languages, including the Python language in which Zope is implemented. The concept of object orientation may take a little "getting-used-to" if you're an old hand at primarily procedural languages typically used for web scripting such as Perl or PHP, but you should be able to get a grasp on the concepts by reading the Object Orientation chapter and by "learning-by-doing" with respect to the examples in the book.

[Hrqls]

yes thats correct, a barricade allowing only traffic into the center of town who are authorized (having a pass, or a 'transponder' (public transports))

the case which you describes about hackers turning all lights to green wont work out, because the traffic automats have a standalone security which will turn all lights to blinking yellow incase something happens which is forbidden (like this case ) ... it will still cause a lot of chaos though
they could also turn off all detectors or fixate 1 direction on green, and thereby blocking all other directions in red, which will drive the drivers (bad pun ) through red after some time ...
but this is future talk anyway ... we will test it out with this barriace system first

we still need an authorization protocol as i described in the first post .. 1 overall super sysop (our company), several normal sysyops (the customers), several super users with slightly less access than the sysops (the sysops in the customers various departments), and in the end the normal users with next-to-no knowledge

as i am unfamiliar with both zope and php (only created 'hello world' in php i think, in fact i just copied it from a book , didnt have time to do more with it yet) ... is it possible with php as well ?
what barricades (bad pun again ) could we come across ?
do you foresee any problems ?

as i am unfamiliar with authentication protocols as well (just using them ), do you know any nice websites about them .. when i google about it, i get way too many hits

thanks for your help so far already