[Grok-dev] Let's make security proxies an option

Jan-Wijbrand Kolman janwijbrand at gmail.com
Thu Apr 16 14:17:45 EDT 2009

Reviving this thread,

Shane Hathaway wrote:
> Hi Grokkers,
> I'm working on an application with sensitive security requirements.  I 
> really need to deny everything by default, otherwise it's impossible to 
> enumerate the risks.  Still, I'd like to use Grok's features to get this 
> application working quickly.
> Martijn talked about security in Grok here:
> http://faassen.n--tree.net/blog/view/weblog/2008/04/17/0
> As Martijn explained, Grok currently disables most of Zope 3's model 
> security because it is somewhat cumbersome.  However, one of the primary 
> things that keep me coming back to Zope is the model security.  I need 
> that safety net.
> For my current project, without model security, Grok is a no-go for me. 
>   However, I decided to see if I could re-enable model security by 
> commenting out the publication factories in grok/configure.zcml.  It 
> worked, except that then my app was inaccessible.  I added class 
> declarations in my own configure.zcml, and everything worked fine again!
> Based on this experience, I think Grok should have documented ways to 
> enable model security and set method and attribute permissions using 
> Grok functions rather than ZCML.  I don't know whether model security 
> should be enabled by default; that's a much bigger discussion.

Today by coincidence I ran into this:


especially lines 36 - 54.

Is there anything we can learn from this?


More information about the Grok-dev mailing list