[Zope-dev] uuid.UUID as a rock in zope.security
Zvezdan Petkovic
zvezdan at zope.com
Fri Apr 10 12:06:05 EDT 2009
On Apr 10, 2009, at 11:32 AM, Hanno Schlichting wrote:
> We do have the use-case of allowing trusted people to add templates or
> code TTW and many other things like data level and view based
> security.
> The RestrictedPython case however is something we will gladly give up.
Trusted people!?
Are you checking their ID at the door?
All you have in terms of trust are their credentials.
You don't want to allow many, many things TTW, even if they logged in
with the trusted credentials.
Otherwise, you give them the same credentials on your physical machine
that serves that app (e.g. they import os TTW).
Finally, even if you are fine with allowing that because you trust
them, who guarantees that every login with those credentials is really
that trusted person?
Zvezdan
More information about the Zope-Dev
mailing list