[Grok-dev] Re: 0.14 todo list

[Martijn Faassen]

Philipp von Weitershausen wrote:
> Martijn Faassen wrote:
>> Hi there,
>>
>> Philipp von Weitershausen wrote:
>> [snip]
>>>> Anything else to put on the list?
>>>
>>> Model-based security.
>>
>> I deliberately didn't put it on the list, as 0.14 will be challenging 
>> enough without it. It'd like to get the WSGI stuff in there finally, 
>> and that's a huge enough new feature without piling on this.
>>
>> Anyway, just a meme correction: Grok *does* have model-based security 
>> and always has. We shouldn't go around saying Grok doesn't have it. It 
>> doesn't have model-based security *checks*, but it's perfectly 
>> possible to assign someone or a group a permission or role on a model.
> 
> Not wanting to get into a terminology discussion, but I'd call these 
> "model-based grants". This is a feature of Grok's default security 
> policy, zope.securitypolicy. By model-based security I meant 
> attribute-level protections on models.

I'm talking about marketing here. I'd prefer to call the model based 
grants "model based security", or "model-level permissions". This is 
for the reason that if you talk to someone who has no idea that security 
proxies even exist (most Python programmers out there), "Grok needs 
model-based security" means to him that Grok has no model-based grants 
yet. But Grok/Zope 3 actually has a very powerful system for this, 
probably more powerful than all competing web frameworks. We should be 
careful to emphasize Grok's powerful security model and not accidentally 
give people the impression that it doesn't.

Regards,

Martijn