[Zope3-dev] Initial thoughts on the Zope3 security framework

[Guido van Rossum]

> Ah, perhaps this is a more common word in security lingo, though still
> new to me. :)

The difference is, this one you can look up.  E.g. Google gives lots
of hits if you try Principal and Java.

> > I wish I understood the Zope2 security model better; whenever you
> > explain something by how it differs from Zope2, I'm lost.  Also, I'm
> > not sure I understand the notions "context", "client" and "local role"
> > well enough to understand everything.
> 
> Hm, at least I know 'local role'. A local role is a role a user receives
> dependent on what object he tries to access. I.e. I may have role 'manager'
> in one place while only role 'anonymous' in another. Local role permissions
> are acquired by subobjects. Currently local roles are settable in a
> non-scalable sad stepchild screen in the ZMI hanging off the 
> security tab. They're pretty common in the types of sites I design,
> so I'm glad to see they're gaining a more central place; non-local roles
> are only a specialization of local roles, as they should be.

OK, that makes sense -- just as there can be user folders sitting
anywhere in a tree, there can be roles defined anywhere in the tree,
and they propagate down in the same way.  Right?

--Guido van Rossum (home page: http://www.python.org/~guido/)