[Zope3-dev] Initial thoughts on the Zope3 security framework
Martijn Faassen
faassen@vet.uu.nl
Sun, 9 Dec 2001 13:21:23 +0100
Jim Fulton wrote:
> I still think this is a really bad idea.
But you can already *develop* products through the web right now
in Zope 2, i.e. ZClasses. How is installing them so much worse?
> > When you
> > discussed "varying levels of security", it made me wonder if the
> > SecurityFramework could provide a mode specifically tailored for meeting
> > this need?
>
> There's nothing in the current security policy that would prevent someone
> from writing a product that did TTW product installation.
>
> The risks are high. The benefit is low compared to the risk, IMO.
The benefit is pretty high if you have a site where people can construct
new components in their own folders (without having to go through
Control_Panel). You'd see a far livelier interchange of new components
if this were more powerful (and more easy as we build an 'easy layer' on
top of the powerful one). That in my opinion is a clear benefit.
Being able to install a component you received from someone else would
be part of this.
Note that I'm talking about TTW components, not components with direct
filesystem access. I'd agree being able to install the latter is rather
scary.
Regards,
Martijn