[Zope-dev] uuid.UUID as a rock in zope.security

Chris Withers chris at simplistix.co.uk
Sat Apr 11 09:27:48 EDT 2009


Martijn Faassen wrote:
> Isn't zope.security a protection system against *accidental* mistakes in 
> building secure applications? I.e. I call a method and then I find out I 
> have no such access. Do we really need to protect the developer against 
> more arcane workarounds?

Yes, that's its stated aim, and I want to rely on that, so I care a lot.

> If I *want* to work around the security system deliberately I can simply 
> remove the security proxy and be done with it. It's not like the system 
> is protecting against this anyway.

Well, not if you don't have access to that removal code.

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk


More information about the Zope-Dev mailing list