[Zope3-dev] Re: RFC: Unification of requests and security contexts through Use

Steve Alexander steve at z3u.com
Wed Jan 21 09:29:11 EST 2004 

Chris McDonough wrote:
> Maybe it's just
> meant to be a bag, which would be fine, but then the verbosity of the
> proposal still confounds me and makes me think I'm still missing
> something.

The proposal actually is pretty simple. The value of it is that it 
describes how we can look at security as akin to presentation, and how 
this allows us to get rid of the ill-defined "security context" we have 
had in Zope 3 until now.

We replace the security context with a Use. Clients of the Use are:

* The publication object, which creates the Use and tells the Use about
   the request and its principal(s).

* Executable code, which tells the Use that other principals are
   also responsible for how the system is currently being used,
   and when that responsibility is finished.

* Logging and auditing systems, which ask the Use what principals have
   been at all involved in how the system has been used, and how each
   principal has participated in the activities performed by the system.

* The security policy, which needs to know what principals are using the
   system, and may need to know who is "piloting" the principal, and
   how they are connecting to the principal in order to pilot it.

   I have an image in mind of a puppet show with marionettes.
   Each puppet is a principal. A puppet is controled using strings, or
   rods -- the request. However, in our technologically advanced show,
   we have programmable puppets that can remember moves and speech
   to be performed when their puppeteer isn't there -- executable code.
   One puppeteer may control several puppets. Inside the show, all
   we see are puppets and strings.

The class and interface for the Use can be defined along with the 
security policy. The other clients of a Use can adapt the Use to the 
specific interface they require.


I just talked with Jim about this, and about a puppet metaphor. We 
discussed that if we follow this metaphor, we can change the diagram in 
the proposal to dispense with "Actor", and just have a Use know about 
Participations, each Participation having Principals. This is pretty 
close to Phillip's revised diagram.

--
Steve Alexander

More information about the Zope3-dev mailing list