[Zope-dev] who wants to maintain Zope 3?
Chris McDonough
chrism at plope.com
Sat Apr 11 21:14:04 EDT 2009
On 4/11/09 8:10 PM, Tim Hoffman wrote:
> If someone where coming to the Zope party now and needed the full
> blown security model and view mechanisms, and the zcml tied to that
> model what would the choice be going forward?
>
> repoze.bfg has pretty much gutted that model (which is fine as a
> simpler model is definately required, I am planning to revisit bfg
> with my zope on gae work)
As far as I know, the only bit that BFG doesn't have out of the box (or at least
in combination with an authentication system like repoze.who) that Zope 2 or
Zope 3 does is the concept of allowing untrusted users to write code (e.g. "TTW
code").
All other concepts present in Zope 2/3 that I know of can be composed using the
out-of-the-box BFG primitives of context-sensitive security (via ACLs attached
to model objects), view permissions, and principals. Because the only code that
is published to the web within BFG is view code, no other security is required
for "belt and suspenders"; for example, you don't need to protect model methods
because there's just no way they'll be invoked within a BFG application.
For more information, see http://docs.repoze.org/bfg/narr/security.html .
- C
More information about the Zope-Dev
mailing list