On Mar 25, 2008, at 5:25 AM, Martijn Faassen wrote:

> Security proxies: this topic may not be directly publisher related,

It's not.

> but maybe it is.

Nope. :)

> Somewhere quite low in the request handling of Zope 3 a security
> proxy is introduced around the objects being traversed.

This is done by the default Zope 3 publication object,
zope.app.publication.zopepublication.ZopePublication.

> Grok doesn't want security proxies, so rips them off again in a
> custom publisher. It'd be nice if there were a hook point that would
> enable us not introducing this proxy in the first place.


There always has been, as I've mentioned many times. The same hook
point allows use of Zope 3 without ZODB.  These policies are provided
by the publication object.  It's a shame that the convoluted setup
system made this so inaccessible.

My hope is that zope.publisher.paste makes it *much* easier to use a
different publications and thus a different set of policies. (I plan
to update zc.zope3recipes to provide an instance recipe pased on paste.)

I'm 99% sure that most or all of the simplicity to want has already
been there for a long time or is there now with the simpler setup
framework in zope.publisher.paste.

Note that my proposal wasn't to simplify the publisher.  I think it
already is pretty simple and I hope the recent zope.publisher.paste
work exposes the simplicity by stripping off layers of overly complex
setup.  My proposal was simply to extract some core functionality in a
way that greatly reduces dependencies.  I don't expect this stripped
down version to be of interest to most of the zope community.  I do
think it might be useful to people with much more limited needs.  I
didn't the proposal because I thought it would be of general interest,
but to ask permission.  I want to do this refactoring, to avoid a (yet
another) fork of the publisher. I should have made this clearer.