Hi Chris can I specify security annotations on objects persisted in the zodb as per zope3/zope2 which are over and above the class/view decleration. bfg wasn't around when we started so I have looked too closely at bfg from security point of view T On Sun, Apr 12, 2009 at 9:14 AM, Chris McDonough <chrism@plope.com> wrote:
On 4/11/09 8:10 PM, Tim Hoffman wrote:
If someone where coming to the Zope party now and needed the full blown security model and view mechanisms, and the zcml tied to that model what would the choice be going forward?
repoze.bfg has pretty much gutted that model (which is fine as a simpler model is definately required, I am planning to revisit bfg with my zope on gae work)
As far as I know, the only bit that BFG doesn't have out of the box (or at least in combination with an authentication system like repoze.who) that Zope 2 or Zope 3 does is the concept of allowing untrusted users to write code (e.g. "TTW code").
All other concepts present in Zope 2/3 that I know of can be composed using the out-of-the-box BFG primitives of context-sensitive security (via ACLs attached to model objects), view permissions, and principals. Because the only code that is published to the web within BFG is view code, no other security is required for "belt and suspenders"; for example, you don't need to protect model methods because there's just no way they'll be invoked within a BFG application.
For more information, see http://docs.repoze.org/bfg/narr/security.html .
- C