Lucas Vogel writes:
Could someone point me out to some good documentation to explain security in Zope for me? I am trying to set up the GUF through my database, but I find I am having a hard time figuring out proxy logins and the like and would like to read up and have a good understanding of the Zope model before I start outsourcing it to my db.
The 'Delegating control' section of the Zope Content Managers' Guide is a good start, as well as the README for GUF. Basically, assigning a proxy role for an object (like a report method for a form) lets it perform any action that that role can perform. The basic idea is that users shouldn't (generally) have direct access to database methods - especially ones related to the authentication/authorization systems. In the case of GUF, you should ensure that anonymous users can't access database methods, and create a role that can access the the db methods. Then, for each report method that needs to access one of these DB methods, you give assign it a proxy role of authorizer. Thus the report get's to chew on the user's input before doing anything like changing a password or setting roles. Hope this helps. John.