[Zope3-dev] Zope security policy
Garrett Smith
garrett at mojave-corp.com
Thu Mar 10 12:03:25 EST 2005
Roger Ineichen wrote:
> Behalf Of Garrett Smith
>> Sent: Thursday, March 10, 2005 5:32 PM
>> To: dev at projekt01.ch
>> Cc: zope3-dev at zope.org
>> Subject: RE: [Zope3-dev] Zope security policy
>>
>> Roger Ineichen wrote:
>>> Hi Garrett
>>>
>>> From: Garrett Smith [mailto:garrett at mojave-corp.com]
>>>> Sent: Thursday, March 10, 2005 5:05 PM
>>>> To: dev at projekt01.ch
>>>> Cc: zope3-dev at zope.org
>>>> Subject: RE: [Zope3-dev] Zope security policy
>>>>
>>>> I glanced over the transcript, but I'm not sure what I'm supposed
>>>> to get from it.
>>>
>>> ;-) nothing, if we don't change the default configuration
>>> for zope.View from Allow to Deny for unauthentcated principals.
>>
>> Ah, so you're saying we just delete these grants?
>
> Yes
> I think it's up to the server administrator to open security.
> I don't like this microsoft concept "all is open for everybody
> and don't forget to secure your application."
>
>> That's fine, but it's decoupled from my point, which is to move these
>> decision points into site-specific configuration.
>
> How?
Move any site-specific declarations out of
z/a/securitypolicy/configure.zcml and into the securitypolicy.zcml
that's include in site.zcml. This is certainly what securitypolicy.zcml
was intended for, I would assume.
-- Garrett
More information about the Zope3-dev
mailing list