Tony McDonald <tony.mcdonald@ncl.ac.uk> said:
Cees has a point here regarding the management of security. Does anyone know of any tools available to manage security without using the web interface. Does XML-RPC have a role (ho ho) to play here?
I think that what Zope needs most is (and I've said that many times before - I even posted code so people can't accuse me of just shouting things ;-)) a "local" GUI. Take Python+ZEO+TkInter, and suddenly you have a whole set of options for security management. Directly talking through ZEO to the database is probably easier than stuffing XML-RPC in between... Apart from that, I think Zope's security model needs to be reviewed. As I'm currently churning out 100-hour workweeks, I haven't really spent much thought on how it could be improved, but somehow this whole proliferation of roles, coupled with extremely low "visibility" of who can do what, doesn't feel right. One of the reasons that I want to split off business code in a separate appserver is that I can "escape" the Zope security model. At the moment, I publish database records through a Python product that applies Zope security to them (e.g. the owner_id of a row gets the Owner role of the object that's published through Zope), and I must say that - apart from the work to get it to work - it doesn't give me a good feeling. Security must be simple, and the baroqueness of owners, local roles, permissions, and whatnot doesn't really support that goal.