[Zope3-dev] Re: RFC: Unification of requests and security contexts
through Use
Chris McDonough
chrism at plope.com
Tue Jan 20 15:31:13 EST 2004
On Tue, 2004-01-20 at 10:41, Tres Seaver wrote:
> Two prominent counterexamples:
>
> - FTP is connection oriented; Zope2 "fakes" request-based security
> for it.
Right. Good point.
> - HTTPS with certificate auth has a single long-running connection,
> whose credentials are established as part of setting up the
> socket over SSL, and *cannot* be changed on a per-request basis.
Good point again.
> The other case which shows up frequently in Zope 2 is the "executable
> owner" check: the effective roles for a bit of untrusted code are the
> intersection of the roles of two principals, the "authenticated user"
> for the request and the "executable owner".
Since Zope 3's security policy stuff is so pluggable, it's not clear
what the point is to having a less generic interface than, perhaps,
setattr and getattr for collaboration with the use, unless there will be
a special kind of use on a per-security-policy basis? Maybe it's just
meant to be a bag, which would be fine, but then the verbosity of the
proposal still confounds me and makes me think I'm still missing
something.
- C
More information about the Zope3-dev
mailing list