[Grok-dev] Let's make security proxies an option

Jan-Wijbrand Kolman janwijbrand at gmail.com
Thu Apr 16 14:17:45 EDT 2009


Reviving this thread,

Shane Hathaway wrote:
> Hi Grokkers,
> 
> I'm working on an application with sensitive security requirements.  I 
> really need to deny everything by default, otherwise it's impossible to 
> enumerate the risks.  Still, I'd like to use Grok's features to get this 
> application working quickly.
> 
> Martijn talked about security in Grok here:
> 
> http://faassen.n--tree.net/blog/view/weblog/2008/04/17/0
> 
> As Martijn explained, Grok currently disables most of Zope 3's model 
> security because it is somewhat cumbersome.  However, one of the primary 
> things that keep me coming back to Zope is the model security.  I need 
> that safety net.
> 
> For my current project, without model security, Grok is a no-go for me. 
>   However, I decided to see if I could re-enable model security by 
> commenting out the publication factories in grok/configure.zcml.  It 
> worked, except that then my app was inaccessible.  I added class 
> declarations in my own configure.zcml, and everything worked fine again!
> 
> Based on this experience, I think Grok should have documented ways to 
> enable model security and set method and attribute permissions using 
> Grok functions rather than ZCML.  I don't know whether model security 
> should be enabled by default; that's a much bigger discussion.

Today by coincidence I ran into this:

http://svn.zope.org/grokcore.formlib/trunk/src/grokcore/formlib/testing.py

especially lines 36 - 54.

Is there anything we can learn from this?

regards,
jw




More information about the Grok-dev mailing list