[Zope3-dev] RE: Zope security policy

Garrett Smith garrett at mojave-corp.com
Thu Mar 10 12:51:42 EST 2005 

Philipp von Weitershausen wrote:
> Garrett Smith wrote:
>>>> Unless there's an existing solution, I propose that we move the
>>>> anonymous grants into securitypolicy.zcml and leave
>>>> z/a/ssecuritypolicy/configure.zcml strictly for setting up
>>>> components for the package.
>>> 
>>> That would make a lot of sense, I think, since we already have a
>>> securitypolicy.zcml anyway. I guess you're talking about these
>>> directives, which definitely are instance-matters:
>>> 
>>>   <role id="zope.Anonymous" title="Everybody"
>>>                  description="All users have this role implicitly"
>>>   /> <role id="zope.Manager" title="Site Manager" />
>>>   <role id="zope.Member" title="Site Member" />
>>> 
>>>   <!-- Replace the following directive if you don't want public
>>>   access --> <grant permission="zope.View"
>>>                   role="zope.Anonymous" />
>>>   <grant permission="zope.app.dublincore.view"
>>>                   role="zope.Anonymous" />
>>> 
>>>   <grantAll role="zope.Manager" />
>> 
>> 
>> Good point. I suppose:
>> 
>>   <securityPolicy component=".zopepolicy.ZopeSecurityPolicy" />
>> 
>> should also go using the same logic.
> 
> I suppose so too.
> 
>> Btw, the files securitypolicy.zcml and securitypolicy-meta.zcml (in
>> z/a/ssecuritypolicy) look like cruft. Aren't these supposed to show
>> up in package-includes?
> 
> They are not cruft. If you look at zope.app.securitypolicy/SETUP.cfg,
> you'll see that these play a role for releases::
> 
>    # Tell zpkg how to install the ZCML slugs.
> 
>    <data-files zopeskel/etc/package-includes>
>      securitypolicy-meta.zcml
>    </data-files>
> 
>    <data-files zopeskel/etc>
>      securitypolicy.zcml
>    </data-files>
> 
> So, if we change Zope3/securitypolicy.zcml, we also need to change
> zope.app.securitypolicy/securitypolicy.zcml, because the latter is the
> one that'll be installed for releases.

Good to know :)

So, to the list...if there are no objections by end of day, I'll make
the following change:

- Move site-specific security policy decisions into securitypolicy.zcml
-- I'll update both the file in the root as well as the file in
z/a/securitypolicy.

Note that this does not relate to the decision of whether anonymous gets
zope.View -- I'll keep that as is. (I think this change will mitigate
the need to change the current policy as site instances will be able to
remove the grants quite easily.)

 -- Garrett

More information about the Zope3-dev mailing list