[Zope-CMF] Should we invert security?
seb bacon
seb@jamkit.com
Thu, 7 Jun 2001 17:49:17 +0100
Sounds good to me, and should fit most applications. However, I
wonder what someone who wants the current behaviour should do. Put
security checks in their dtml I guess. Isn't there a more elegant
solution? I can't think of one but I'm not very elegant :)
seb
* Shane Hathaway <shane@digicool.com> [010607 16:00]:
> Right now the security strategy used by CMFDefault is "deny by default".
> Each member folder is set up to deny access to anonymous users and other
> members. Objects within a member folder allow access depending on their
> workflow state.
>
> But the problem with this strategy, which seems right at first, is subtle:
> you might be able to access content without being able to access the
> container of the content. So DTML that tries to use PARENTS[0], which
> really ought to be available, raises a security exception. This is a
> problem right now on cmf.zope.org.
>
> I think we should switch to "allow by default". Member folders won't have
> any special security settings, but when you create content, it might be
> restricted by default so that other users can't see it until it's ready to
> be published.
>
> Do you agree? It would sure simplify things IMHO.
>
> Shane