[Zope-dev] Zope Feature discussion

Andreas Kostyrka andreas@mtg.co.at
Fri, 30 Jul 1999 08:14:30 +0200 (CEST)


On Fri, 30 Jul 1999, Anthony Pfrunder wrote:

> The second change I propose is a "Control Panel" Product which replaces
> the current one but acts like a User Folder.  Then, you can add
> permissions to Products and allow users down the chain to add their own
> Products by creating a "Control Panel".  This would also reduce Control
> Panel clutter as Products can be placed where they are needed.  Also, you
> can then subclass (via Zclasses) the Control Panel to create more user
> friendly Add Object systems.
How do you propose to solve following facts, that
1.) Installing Products are a Superuser equivalent operations as it needs
    filesystem access. It should be so, as Products allow arbitrary code
    to be executed.
2.) Products most often do install Folder Instance methods, like many 
    of manage_* variety, but that's not a must. So in your model, this
    methods should be added and removed on traversal of PartControlPanel?
    How does this work with multiple Threads?

> Finally, we need a subclassable Filesystem object.  When you insert one of
> these it "captures" the transations and stores them in the local
Again, the problem here is SECURITY. You wouldn't want to allow the
non-superuser to add filesystems, as filesystem access equals to complete
100% access. (at least to the objects contained in the filesystem area,
because you do have object database and could just change the security
settings with a python process.)
And if one would implement your propositions about Products, each user
could gain access to all data, because ZOPE provides only ``cooperative''
security on Python level.

> Needless to say, they don't have to be Zope fs's.  You could, for example,
> store some properties as an OLE stream inside Word documents.
Ooops, ok, when you propose to store data in Word, then you don't need to
worry about security. :(

Andreas
--
Andreas Kostyrka                     | andreas@mtg.co.at
phone: +54/1/7070750                 | phone: +43/676/4091256   
MTG Handelsges.m.b.H.                | fax:   +43/1/7065299
Raiffeisenstr. 16/9                  | 2320 Zwoelfaxing AUSTRIA