On Aug 26, 2008, at 9:01 AM, Malthe Borch wrote: > David Pratt, Tim Terlegård and I had a brief conversation about the > decision to implement a new security policy in repoze.bfg based on > ACL. > > Worries: > > 1) This does away with ``zope.security``, which was the de-facto > security model for Zope and one most developers are intimately > familiar with. Is it possible to support a setup where this security > model would be used instead of the new ACL-based policy?
I'm not certain. zope.security is pretty complicated (IMO, needlessly) and I'm not personally particularly hot on roles. But I don't think it's impossible. > > 2) The syntax for the ACL policy is quite crude in my view; it uses > tuple-notation and strings where I would've considered a scheme that > was less error-prone (on both accounts: a tuple notation is often > difficult because the ordering is so random, and strings could lead to > hard-to-catch typos). I haven't added any API for setting it, as I couldn't think of a way that didn't involve passing the three arguments to a function, which turns into the same thing, although I suppose it could do error checking. - C _______________________________________________ Repoze-dev mailing list Repozeemail@example.com http://lists.repoze.org/listinfo/repoze-dev