[Zope3-Users] Zope 3 security model

Mattia Belletti mattia at thick.foschia.info
Wed Jul 2 14:33:12 EDT 2008


Hi all,
  I'm a newbie to Zope 3, but I immediatly had very "good vibes" about 
it. I started developing a test application. Where I immediatly got some 
problems was when I had to deal with the security model.

  I illustrate my point. In the system I'm writing, users can register 
and create objects inside the system. The security system should be 
quite simple: a user can access the view page of every object, but not 
the edit page, unless he/she is the author. Well, things are more 
complex, but this already is proving me problems.

  I think it's pretty evident that the default security policy isn't 
enough for me. That is because I don't have a fixed number of principals 
in my system to declare, and thus I cannot map permissions to principals 
or permissions to views via the zcml. E.g.: the edit page of an object, 
could have something like a OwnerCanEdit permission. But then, how can I 
write a user-yet-to-be-created has this permission? Moreover, this 
mapping isn't so straightforward (the "edit" view is accessible by a 
user if he is the author of the context, but is not if he's not the author).

  So, I started writing my own Credential plugin [I'm sure there's 
already a credential plugin which works with cookies, but it was mostly 
an exercise to me] and an Authenticator Plugin [which hooks in the user 
database I had created]. Point is, I haven't the slightest clue on how 
to write my own security policy.

  All in all, what I miss is a resource (or, more likely, a set of 
resources) where the whole problem of the security is taken from the 
zope 3 application writer point of view. Documentation of zope3 is good 
enough about the PAU, but I can't find enough informations about the 
security policy nor any clear explanation about how this all is 
integrated in a site.

  Anyone can give me some hints about the correctness of what I said in 
this mail and point me to some documentation?

-- 
Mattia "RedGlow" Belletti
http://thick.foschia.info - http://anacrusi.splinder.com



More information about the Zope3-users mailing list