[Grok-dev] Re: 0.14 todo list

[Philipp von Weitershausen]

Martijn Faassen wrote:
> Philipp von Weitershausen wrote:
>> Martijn Faassen wrote:
>>> Hi there,
>>>
>>> Philipp von Weitershausen wrote:
>>> [snip]
>>>>> Anything else to put on the list?
>>>>
>>>> Model-based security.
>>>
>>> I deliberately didn't put it on the list, as 0.14 will be challenging 
>>> enough without it. It'd like to get the WSGI stuff in there finally, 
>>> and that's a huge enough new feature without piling on this.
>>>
>>> Anyway, just a meme correction: Grok *does* have model-based security 
>>> and always has. We shouldn't go around saying Grok doesn't have it. 
>>> It doesn't have model-based security *checks*, but it's perfectly 
>>> possible to assign someone or a group a permission or role on a model.
>>
>> Not wanting to get into a terminology discussion, but I'd call these 
>> "model-based grants". This is a feature of Grok's default security 
>> policy, zope.securitypolicy. By model-based security I meant 
>> attribute-level protections on models.
> 
> I'm talking about marketing here. I'd prefer to call the model based 
> grants "model based security", or "model-level permissions". This is for 
> the reason that if you talk to someone who has no idea that security 
> proxies even exist (most Python programmers out there), "Grok needs 
> model-based security" means to him that Grok has no model-based grants 
> yet. But Grok/Zope 3 actually has a very powerful system for this, 
> probably more powerful than all competing web frameworks. We should be 
> careful to emphasize Grok's powerful security model and not accidentally 
> give people the impression that it doesn't.

Good points. Let's call the todo list item "Protecting models with 
permissions" then.