[Zope-dev] RFC: Use Zope 3's protection system in Zope 2
faassen at infrae.com
Mon Aug 1 04:54:28 EDT 2005
Jim Fulton wrote:
> Is a proposal to use Zope 3's protection system in Zope 2.
> I think that the proposed change would provide very significan't
> benefits, although it also presents some risks.
> I'm looking for volunteers to help make this happen,
> peferably this fall.
Cool! Zope 3's security system is definitely quite powerful.
You mean you're hoping this could be in Zope 2.9? Probably not
surprisingly, you want put in me in the 'skeptics' camp here. :) We
already have a job on our hands making Zope 2.9's Five work with Zope
3.2, and actually releasing Zope 3.2 (I'll note that Zope 3.1 is still
not released as a final). I would strongly urge that this work is done
on a branch so we can ship Zope 2.9 without it if necessary.
I'm definitely worried about backwards compatibility -- how would the
effect be handled that any filesystem-level Python code in Zope 2 is
considered trusted, for instance? Would security wrappers be removed
whenever code is passed along to this level?
Would this also mean a port of the default Zope 3 security policy? I
guess that isn't possible as the security information is stored quite
differently. Would this mean we would write a new Zope 2 policy, but
based on the Zope 3 security policy mechanism, or are we only porting
the security-wrapper bits for now?
Is any scheme possible where we could introduce this selectively and in
parallel to the existing mechanisms? Like, for instance, a knob on a
folderish object that could be turned on so it starts wrapping
I understand that one huge benefit of this change is that we can stop
maintaining Zope 2's security infrastructure, but a huge benefit of
doing this in parallel would be that we have some time to really shake
out bugs without destabilizing everything else. This has worked very
well with Five so far, as it lets people move at their own speeds. The
people building the new stuff aren't making life complicated for the
rest, and neither are the people who are sticking with the existing
stuff slowing down or discourage the people who want to build new things.
More information about the Zope-Dev