[Zope-dev] who wants to maintain Zope 3?

Tim Hoffman timh at zute.net
Sat Apr 11 22:20:55 EDT 2009


Hi Chris

can I specify security annotations on objects persisted in the zodb as
per zope3/zope2
which are over and above the class/view decleration.

bfg wasn't around when we started so I have looked too closely at bfg
from security point of view

T

On Sun, Apr 12, 2009 at 9:14 AM, Chris McDonough <chrism at plope.com> wrote:
> On 4/11/09 8:10 PM, Tim Hoffman wrote:
>>
>> If someone where coming to the Zope party now and needed the full
>> blown security model and view mechanisms, and the zcml tied to that
>> model what would the choice be going forward?
>>
>> repoze.bfg has pretty much gutted that model (which is fine as a
>> simpler model is definately required, I am planning to revisit bfg
>> with my zope on gae work)
>
> As far as I know, the only bit that BFG doesn't have out of the box (or at
> least in combination with an authentication system like repoze.who) that
> Zope 2 or Zope 3 does is the concept of allowing untrusted users to write
> code (e.g. "TTW code").
>
> All other concepts present in Zope 2/3 that I know of can be composed using
> the out-of-the-box BFG primitives of context-sensitive security (via ACLs
> attached to model objects), view permissions, and principals.  Because the
> only code that is published to the web within BFG is view code, no other
> security is required for "belt and suspenders"; for example, you don't need
> to protect model methods because there's just no way they'll be invoked
> within a BFG application.
>
> For more information, see http://docs.repoze.org/bfg/narr/security.html .
>
> - C
>


More information about the Zope-Dev mailing list