AW: [Zope-dev] Request typing (to get the xmlrpc layer discussionfinished)

[Roger Ineichen]

Hi all

> Betreff: Re: [Zope-dev] Request typing (to get the xmlrpc 
> layer discussionfinished)
> 
> On Dec 17, 2007 10:32 AM, Janko Hauser <jh at zscout.de> wrote:
> > Oh that would be a new information for me, so I would be very 
> > interested, where this is implemented.
> 
> z3c.baseregistry

Yes, that's another component which helps you protect 
your application from built-in backdoors.

In general I can say:

- baseregistry allows you to configure different ISite component
  at a global zcml level. Sites can reuse such sets of global 
  registration in the local instance. And this registration set
  is not populated global at the site root.

- layers allow you to offer predefined sets of configuration
  ready to reuse. Without them you can only offer global
  configuration sets which can open backdoors.

- skins maps a set of layers to the public and make them 
  traversable.

I allways explain it like:

Skins and layers are not needed till it comes to security. And
I allways say skin and layer is the concept which allows us to 
separate the model and view and make the view part replacable.
If you use the baseregistry it works at the local site level.

Of corse you don't need layers and skins if you develop one
application and install them on one server. But if it comes
to multi skins and even worse different applications on one
server, we need layers and skins for security reason.

And if you don't use layers and skins, you probably can't
install packages which register views at the default skin
which your server is using without to open backdoors.

Layers and skins are a security concept. And a very good one.

Note, the only secure way to setup a mutli application, multi 
site Zope server is to use layers, sites and the baseregistry.

Everything else will make views on different apps available.
And this could be a very big security problem. 

Regards
Roger Ineichen