[Zope-CMF] Security Question

Tres Seaver tseaver@zope.com
Sun, 24 Feb 2002 18:04:32 -0500 (EST)


On Sun, 24 Feb 2002, Chris Withers wrote:

> Dieter Maurer wrote:
> > 
> >   *  A CMF Site that really cares can easily provide a finer grained
> >      protection.
> 
> How?
> 
> >   *  We have too many permissions inside Zope, especially when we
> >      use the CMF
> 
> Well, I think Zope 3 is gonna let you group them at the site
> config level, so maybe more permissions is the way to go ;-)

Not in Zope2.  Sites which want finer-grained security are making
an explicitly different policy choice than the one made *by
design* in CMFDefault, and must be prepared to customize
accordingly.

The simplest way to do this is to create a product which
registers its own factories for the CMFDefault content classes;
then, update the type objects to refer to the new product.

E.g., in Products/FineGrainedCMFSecurity/__init__.py::

  from Products.CMFDefault import Document
  from Products.CMFDefaul import Link
  from Products.CMFDefault import NewsItem
  from Products.CMFDefault import Image
  ...
  from Products.CMFDefault.utils import ContentInit

  content_classes = ( Document.Document, LinkLink, ... )
  content_ctors = ( Document.addDocument, Link.addLink, ... )
  content_fti = ( Document.factory_type_information
                + Link.factory_type_information
                ...
                )

  priv_content_classes = ( NewsItem.NewsItem, Image.Image, ... )
  priv_content_ctors = ( NewsItem.addNewsItem, Image.addImage, ... )
  priv_content_fti = ( NewsItem.factory_type_information
                     + Image.factory_type_information
                     ...
                     )

  def register( context ):

      ContentInit( 'Normal Content'
                 , content_types=content_classes
                 , permission='Add normal content'
                 , extra_constructors=content_ctors
                 , fti=content_fti
                 ).initialize( context )

      ContentInit( 'Privileged Content'
                 , content_types=priv_content_classes
                 , permission='Add privileged content'
                 , extra_constructors=priv_content_ctors
                 , fti=priv_content_fti
                 ).initialize( context )


Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.org