[Grok-dev] Let's make security proxies an option
Jan-Wijbrand Kolman
janwijbrand at gmail.com
Thu Apr 16 14:17:45 EDT 2009
Reviving this thread,
Shane Hathaway wrote:
> Hi Grokkers,
>
> I'm working on an application with sensitive security requirements. I
> really need to deny everything by default, otherwise it's impossible to
> enumerate the risks. Still, I'd like to use Grok's features to get this
> application working quickly.
>
> Martijn talked about security in Grok here:
>
> http://faassen.n--tree.net/blog/view/weblog/2008/04/17/0
>
> As Martijn explained, Grok currently disables most of Zope 3's model
> security because it is somewhat cumbersome. However, one of the primary
> things that keep me coming back to Zope is the model security. I need
> that safety net.
>
> For my current project, without model security, Grok is a no-go for me.
> However, I decided to see if I could re-enable model security by
> commenting out the publication factories in grok/configure.zcml. It
> worked, except that then my app was inaccessible. I added class
> declarations in my own configure.zcml, and everything worked fine again!
>
> Based on this experience, I think Grok should have documented ways to
> enable model security and set method and attribute permissions using
> Grok functions rather than ZCML. I don't know whether model security
> should be enabled by default; that's a much bigger discussion.
Today by coincidence I ran into this:
http://svn.zope.org/grokcore.formlib/trunk/src/grokcore/formlib/testing.py
especially lines 36 - 54.
Is there anything we can learn from this?
regards,
jw
More information about the Grok-dev
mailing list