[Grok-dev] Default permission for Views?
Philipp von Weitershausen
philipp at weitershausen.de
Wed Nov 5 06:57:59 EST 2008
Jan-Wijbrand Kolman wrote:
> ps. I think it was Philipp who explained to me a while ago that
> 'zope.Public' isn't really a permission itself at all, but an
> indication to the security machinerey that there's no need to secure
> this view at all. Something like that.
Indeed. 'zope.Public' isn't a permission as much as an identifier for
the public checker. The public checker always allows attribute access,
whereas the permission-based checkers ask the interaction (= instance of
security policy) whether the user has a certain permission (the one that
was configured when the checker was defined).
'zope.Public' is a somewhat misleading name therefore. Eons ago Steve
Alexander already voted for renaming it to just 'public'. Given its
widespread use now and the explicit checks for this identifier
throughout security-related code, it might be too late to do this now.
More information about the Grok-dev