[Zope-dev] Re: Improvements for Zope2's security
Sidnei da Silva
sidnei at enfoldsystems.com
Tue Sep 19 11:38:15 EDT 2006
On Tue, Sep 19, 2006 at 04:34:55PM +0200, Philipp von Weitershausen wrote:
| >In general I preferre old and well tested security code over new
| >security related code. Martjin, Phillip and all the other people are
| >doing a great job with Five but well ... it's new code. New code tends
| >to break because it is not as well tested as old code.
|
| There isn't much new in terms of security regarding what ZCML does in Five.
In fact all it does is to map Zope 3 security directives to Zope 2
ClassSecurityInfo-style.
| >* ZCML security declarations are great for Zope3 and Five classes
| >because their default security policy is DENY unless explictly allowed.
|
| ZCML does NOT change the security policy of Zope 2. ZCML is just an
| *spelling* of security declarations. So, it's not much new code at all.
And in fact it has tests.
| >* Comments like <!--deny attributes="baz" /--> <!-- XXX not yet
| >supported --> are adding a bad gut feeling ...
|
| <deny /> is soemthing that's not in Zope 3 and I don't know what Sidnei
| (who did the ZCML-Zope2-security integration) intended there. It's
| certainly nothing that poses a security threat. We don't operate on bad
| gut feelings. If you see definite problems with Five code, I'll be happy
| to discuss them.
I believe Zope 3 had <deny /> at some point. It might not have it
anymore those days. If I recall, the motivation was to be able to add
the notion of 'deny by default' which exists in Zope 3.
--
Sidnei da Silva
Enfold Systems http://enfoldsystems.com
Fax +1 832 201 8856 Office +1 713 942 2377 Ext 214
More information about the Zope-Dev
mailing list