[Zope3-dev] Re: Zope security policy

Philipp von Weitershausen philipp at weitershausen.de
Thu Mar 10 12:33:30 EST 2005 

Garrett Smith wrote:
>>>Unless there's an existing solution, I propose that we move the
>>>anonymous grants into securitypolicy.zcml and leave
>>>z/a/ssecuritypolicy/configure.zcml strictly for setting up components
>>>for the package.
>>
>>That would make a lot of sense, I think, since we already have a
>>securitypolicy.zcml anyway. I guess you're talking about these
>>directives, which definitely are instance-matters:
>>
>>   <role id="zope.Anonymous" title="Everybody"
>>                  description="All users have this role implicitly" />
>>   <role id="zope.Manager" title="Site Manager" />
>>   <role id="zope.Member" title="Site Member" />
>>
>>   <!-- Replace the following directive if you don't want public
>>   access --> <grant permission="zope.View"
>>                   role="zope.Anonymous" />
>>   <grant permission="zope.app.dublincore.view"
>>                   role="zope.Anonymous" />
>>
>>   <grantAll role="zope.Manager" />
> 
> 
> Good point. I suppose:
> 
>   <securityPolicy component=".zopepolicy.ZopeSecurityPolicy" />
> 
> should also go using the same logic.

I suppose so too.

> Btw, the files securitypolicy.zcml and securitypolicy-meta.zcml (in
> z/a/ssecuritypolicy) look like cruft. Aren't these supposed to show up
> in package-includes?

They are not cruft. If you look at zope.app.securitypolicy/SETUP.cfg, 
you'll see that these play a role for releases::

   # Tell zpkg how to install the ZCML slugs.

   <data-files zopeskel/etc/package-includes>
     securitypolicy-meta.zcml
   </data-files>

   <data-files zopeskel/etc>
     securitypolicy.zcml
   </data-files>

So, if we change Zope3/securitypolicy.zcml, we also need to change 
zope.app.securitypolicy/securitypolicy.zcml, because the latter is the 
one that'll be installed for releases.

> P.S. Did you intend to not include the list in your reply?

I actually did include it. I just use the mail-to-news gateway GMane to 
read mailinglists, so your email client probably didn't see the 
Newsgroup: header. CC'ing the good ol' list email address now.

More information about the Zope3-dev mailing list