[Zope-dev] uuid.UUID as a rock in zope.security
Martijn Faassen
faassen at startifact.com
Fri Apr 10 09:25:19 EDT 2009
Hi there,
One fundamental question about this that I have is why we want to
protect the user against such loopholes anyway?
Isn't zope.security a protection system against *accidental* mistakes in
building secure applications? I.e. I call a method and then I find out I
have no such access. Do we really need to protect the developer against
more arcane workarounds?
If I *want* to work around the security system deliberately I can simply
remove the security proxy and be done with it. It's not like the system
is protecting against this anyway.
Protecting against workarounds is useful if you allow through the web
manipulation of code itself. But who is actually doing this?
Regards,
Martijn
More information about the Zope-Dev
mailing list