[Grok-dev] Let's make security proxies an option

Shane Hathaway shane at hathawaymix.org
Fri Mar 6 14:18:30 EST 2009


Hi Grokkers,

I'm working on an application with sensitive security requirements.  I 
really need to deny everything by default, otherwise it's impossible to 
enumerate the risks.  Still, I'd like to use Grok's features to get this 
application working quickly.

Martijn talked about security in Grok here:

http://faassen.n--tree.net/blog/view/weblog/2008/04/17/0

As Martijn explained, Grok currently disables most of Zope 3's model 
security because it is somewhat cumbersome.  However, one of the primary 
things that keep me coming back to Zope is the model security.  I need 
that safety net.

For my current project, without model security, Grok is a no-go for me. 
  However, I decided to see if I could re-enable model security by 
commenting out the publication factories in grok/configure.zcml.  It 
worked, except that then my app was inaccessible.  I added class 
declarations in my own configure.zcml, and everything worked fine again!

Based on this experience, I think Grok should have documented ways to 
enable model security and set method and attribute permissions using 
Grok functions rather than ZCML.  I don't know whether model security 
should be enabled by default; that's a much bigger discussion.

Shane


More information about the Grok-dev mailing list