[Zope-dev] uuid.UUID as a rock in zope.security

[Jim Fulton]

On Apr 10, 2009, at 9:25 AM, Martijn Faassen wrote:

> Hi there,
>
> One fundamental question about this that I have is why we want to
> protect the user against such loopholes anyway?
>
> Isn't zope.security a protection system against *accidental*  
> mistakes in
> building secure applications?

No

> I.e. I call a method and then I find out I
> have no such access. Do we really need to protect the developer  
> against
> more arcane workarounds?
>
> If I *want* to work around the security system deliberately I can  
> simply
> remove the security proxy and be done with it. It's not like the  
> system
> is protecting against this anyway.
>
> Protecting against workarounds is useful if you allow through the web
> manipulation of code itself. But who is actually doing this?


The purpose of the protection system is to protect an application  
against untrusted code provided by people other than the application  
develoer.  If an application has no untrusted code, then the  
protection system isn't necessary. I'll guess that 99% of applications  
don't support untrusted code and don't need the Zope protection  
system(s).  The applications people build with Grok probably fall in  
this category, or one would hope. :)

There are some applications, such as Zope 2, Plone, and many of our  
(ZC's) applications that support untrusted code and, for these  
systems, the protection system is critical.  It doesn't protect the  
application developer from herself, it protects her from the people  
writing the untrusted code.

(Note that, in some ways, HTTP requests represent untrusted code.   
This case can often be handled by simple resource-protection schemes,  
although some applications can still benefit from the Zope 3  
protection scheme, which can help mediate access to content when fine- 
grained control is needed.)

Jim

--
Jim Fulton
Zope Corporation