[Zope3-dev] Security Policy
Ivo van der Wijk
ivo@amaze.nl
Mon, 4 Feb 2002 11:59:22 +0100
[I just noticed I forgot to cc this to the zope3-dev list itself ;-]
On Wed, Jan 30, 2002 at 03:20:30PM -0800, Andy McKay wrote:
> Am I way ahead of things (or way behind) on asking what sort of security policy
> Zope 3 will have with regards TTW scripting.
>
> With the move away from DTML towards a more CMF style site will we finally have a relaxation of the security
> rules that stop people importing easily into python scripts (for example)? Ideally there would
> be various levels of security in the config that would allow the sys admin to
> determine how tight security is.
>
This reminds me of a security feature I would really like in Zope3: A higher
level of permissions/priviliges next to the standard authentication system.
At this moment, if someone has the Manager role anywhere in a zope server,
there is (afaik) no way to restrict access to certain products.
At FreeZope.org, for example, where people can get their own Zope folder
with complete control over it, we cannot install a LocalFS product to use
ourselve and restrict access to FreeZope users. Same for database adapters,
etc. The 'Install LocalFS' permission doesn't do the trick - as a manager you
can simply disable acquisition for this permission and enable it again for
yourself.
Such higher level permission would also make it possible to install
a pythonscript-like product uses a less restrictive environment (or perhaps
the standard Python Script module, that simply checks for this higher level
permission).
Would anyone else find this usefull?
With regards,
Ivo van der WIjk
--
Drs. I.R. van der Wijk -=-
Brouwersgracht 132 Amaze Internet Services V.O.F.
1013 HA Amsterdam, NL -=-
Tel: +31-20-4688336 Linux/Web/Zope/SQL/MMBase
Fax: +31-20-4688337 Network Solutions
Web: http://www.amaze.nl/ Consultancy
Email: ivo@amaze.nl -=-