[Grok-dev] Let's make security proxies an option

Gary Poster gary.poster at gmail.com
Fri Mar 6 14:36:33 EST 2009


On Mar 6, 2009, at 2:18 PM, Shane Hathaway wrote:

> Hi Grokkers,
>
> I'm working on an application with sensitive security requirements.  I
> really need to deny everything by default, otherwise it's impossible  
> to
> enumerate the risks.  Still, I'd like to use Grok's features to get  
> this
> application working quickly.
>
> Martijn talked about security in Grok here:
>
> http://faassen.n--tree.net/blog/view/weblog/2008/04/17/0
>
> As Martijn explained, Grok currently disables most of Zope 3's model
> security because it is somewhat cumbersome.  However, one of the  
> primary
> things that keep me coming back to Zope is the model security.  I need
> that safety net.
>
> For my current project, without model security, Grok is a no-go for  
> me.
>  However, I decided to see if I could re-enable model security by
> commenting out the publication factories in grok/configure.zcml.  It
> worked, except that then my app was inaccessible.  I added class
> declarations in my own configure.zcml, and everything worked fine  
> again!
>
> Based on this experience, I think Grok should have documented ways to
> enable model security and set method and attribute permissions using
> Grok functions rather than ZCML.  I don't know whether model security
> should be enabled by default; that's a much bigger discussion.

For what it is worth, I think the fact that repoze uses model  
security, and the fact that other big projects like Launchpad and ZC  
projects use model security, and want it, might further indicate that  
it is a valuable option.

Gary


More information about the Grok-dev mailing list