On 4/11/09 8:10 PM, Tim Hoffman wrote:
> If someone where coming to the Zope party now and needed the full
> blown security model and view mechanisms, and the zcml tied to that
> model what would the choice be going forward?
> repoze.bfg has pretty much gutted that model (which is fine as a
> simpler model is definately required, I am planning to revisit bfg
> with my zope on gae work)

As far as I know, the only bit that BFG doesn't have out of the box (or at 
in combination with an authentication system like repoze.who) that Zope 2 or 
Zope 3 does is the concept of allowing untrusted users to write code (e.g. "TTW 

All other concepts present in Zope 2/3 that I know of can be composed using the 
out-of-the-box BFG primitives of context-sensitive security (via ACLs attached 
to model objects), view permissions, and principals.  Because the only code 
is published to the web within BFG is view code, no other security is required 
for "belt and suspenders"; for example, you don't need to protect model methods 
because there's just no way they'll be invoked within a BFG application.

For more information, see http://docs.repoze.org/bfg/narr/security.html .

- C
Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to