[Zope3-dev] security frustrations
Martijn Faassen
faassen at infrae.com
Tue Aug 9 10:35:30 EDT 2005
Benji York wrote:
> Martijn Faassen wrote:
>
>> * after object creation but before the object is added,
>> various things are done to the object.
>>
> > * authorization error: user cannot access various attributes.
>
> If these things are done by subscribers, would using trusted subscribers
> help?
I guess it could; I've used a trusted adapter in a few places to get
around security concerns.
However, not everything is done by subscribers. I have a little workflow
system that in some cases can create new versions of objects, for instance.
My frustration is more that one has to do *something* special than that
there aren't any solutions. Knowing to use trusted subscribers and
having to design ones application around them would be another thing one
would need to know to 'please' the security system. I know of course
that security is hard, so maybe there's no way than to just bite the
bullet...
But it still leaves me wishing; it's rather easy to break the security
of an application.
Perhaps I'm wishing for a system where a lot more can be made trusted
easily. As far as I understand right now it's possible with adapters,
and apparently subscribers (I didn't know this, so I may be missing more).
Perhaps the answer is different altogether. And again, perhaps it's just
going to be either hard or insecure, pick one. :)
Regards,
Martijn
More information about the Zope3-dev
mailing list