[Zope] Re: major problems placing authentication on an extranet site-security flaw?

[J Cameron Cooper]

michael nt milne wrote:
> Well I said it was over and out but I have to respond to this latest 
> post. I appreciate the help here and will be trying out some of the 
> suggestions. Basically though, Zope permissions and security could be 
> made a lot more usable. It's far too technically focused and this is the 
> opinion of a few others as well. The whole ZMI interface could be put 
> through a usability re-design to be honest and that's not even to 
> comtemplate the security areas.

The ZMI is well known to be geeky. "For developers, by developers" might 
be its motto. If you have some concrete suggestions, by all means put 
them forth. Patches are even better.

Anyway, ACLs are ACLs. And if you don't know what you're doing, you can 
get into trouble real fast. Ever tried managing file security on a 
Windows machine with ACLs?

CMF (this includes Plone) provides a way to manage this complexity: 
workflow states. Each workflow has a set of permissions it manages, and 
a setting of these for each state. This is much more easily comprehended 
than infinite fiddling with the ZMI Security tab.

Also, as I recall, there was a "private plone site" howto on plone.org; 
dunno what happened to it.

		--jcc
-- 
"Building Websites with Plone"
http://plonebook.packtpub.com