On 4/11/09 8:10 PM, Tim Hoffman wrote: > If someone where coming to the Zope party now and needed the full > blown security model and view mechanisms, and the zcml tied to that > model what would the choice be going forward? > > repoze.bfg has pretty much gutted that model (which is fine as a > simpler model is definately required, I am planning to revisit bfg > with my zope on gae work)
As far as I know, the only bit that BFG doesn't have out of the box (or at least in combination with an authentication system like repoze.who) that Zope 2 or Zope 3 does is the concept of allowing untrusted users to write code (e.g. "TTW code"). All other concepts present in Zope 2/3 that I know of can be composed using the out-of-the-box BFG primitives of context-sensitive security (via ACLs attached to model objects), view permissions, and principals. Because the only code that is published to the web within BFG is view code, no other security is required for "belt and suspenders"; for example, you don't need to protect model methods because there's just no way they'll be invoked within a BFG application. For more information, see http://docs.repoze.org/bfg/narr/security.html . - C _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )