[Zope3-dev] Initial thoughts on the Zope3 security framework
Jim Fulton
jim@zope.com
Sat, 08 Dec 2001 16:51:14 -0500
Paul Everitt wrote:
>
> Should you mention that docstrings won't govern whether something is
> published?
Sure. Go ahead. ;)
> Also, are there changes to the rules about a leading underscore?
The APIs are silent on this, but out intension is to remove names
from access considerations in the standard Zope Security Policy.
> When you mention inner and outer context, I was reminded about Fred's
> first response. Do you need to explain this somewhere?
There probably needs to be a separate document that lays out the concepts
and jargon for context wrapping.
> Here's something everybody
Everybody? I doubt it.
> has wanted for a while, but which has been
> disallowed for security reasons: TTW product installation.
I still think this is a really bad idea.
> When you
> discussed "varying levels of security", it made me wonder if the
> SecurityFramework could provide a mode specifically tailored for meeting
> this need?
There's nothing in the current security policy that would prevent someone
from writing a product that did TTW product installation.
The risks are high. The benefit is low compared to the risk, IMO.
If someone wants this, they can write it, but I think we have much
more important fish to fry.
Jim
--
Jim Fulton mailto:jim@zope.com Python Powered!
CTO (888) 344-4332 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org