[Zope] zope rant

News system cg@cdegroot.com
16 Apr 2001 20:13:34 +0200


Tony McDonald <tony.mcdonald@ncl.ac.uk> said:
>Cees has a point here regarding the management of security. Does anyone know
>of any tools available to manage security without using the web interface.
>Does XML-RPC have a role (ho ho) to play here?
>
I think that what Zope needs most is (and I've said that many times before - I
even posted code so people can't accuse me of just shouting things ;-)) a
"local" GUI. Take Python+ZEO+TkInter, and suddenly you have a whole set of
options for security management. Directly talking through ZEO to the database
is probably easier than stuffing XML-RPC in between...

Apart from that, I think Zope's security model needs to be reviewed. As I'm
currently churning out 100-hour workweeks, I haven't really spent much thought
on how it could be improved, but somehow this whole proliferation of roles,
coupled with extremely low "visibility" of who can do what, doesn't feel
right. One of the reasons that I want to split off business code in a separate
appserver is that I can "escape" the Zope security model. At the moment, I
publish database records through a Python product that applies Zope security
to them (e.g. the owner_id of a row gets the Owner role of the object that's
published through Zope), and I must say that - apart from the work to get it
to work - it doesn't give me a good feeling. Security must be simple, and the
baroqueness of owners, local roles, permissions, and whatnot doesn't really
support that goal.