On Tue, Sep 19, 2006 at 04:34:55PM +0200, Philipp von Weitershausen wrote: | >In general I preferre old and well tested security code over new | >security related code. Martjin, Phillip and all the other people are | >doing a great job with Five but well ... it's new code. New code tends | >to break because it is not as well tested as old code. | | There isn't much new in terms of security regarding what ZCML does in Five.
In fact all it does is to map Zope 3 security directives to Zope 2 ClassSecurityInfo-style. | >* ZCML security declarations are great for Zope3 and Five classes | >because their default security policy is DENY unless explictly allowed. | | ZCML does NOT change the security policy of Zope 2. ZCML is just an | *spelling* of security declarations. So, it's not much new code at all. And in fact it has tests. | >* Comments like <!--deny attributes="baz" /--> <!-- XXX not yet | >supported --> are adding a bad gut feeling ... | | <deny /> is soemthing that's not in Zope 3 and I don't know what Sidnei | (who did the ZCML-Zope2-security integration) intended there. It's | certainly nothing that poses a security threat. We don't operate on bad | gut feelings. If you see definite problems with Five code, I'll be happy | to discuss them. I believe Zope 3 had <deny /> at some point. It might not have it anymore those days. If I recall, the motivation was to be able to add the notion of 'deny by default' which exists in Zope 3. -- Sidnei da Silva Enfold Systems http://enfoldsystems.com Fax +1 832 201 8856 Office +1 713 942 2377 Ext 214 _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )