Hi Chris

can I specify security annotations on objects persisted in the zodb as
per zope3/zope2
which are over and above the class/view decleration.

bfg wasn't around when we started so I have looked too closely at bfg
from security point of view


On Sun, Apr 12, 2009 at 9:14 AM, Chris McDonough <chr...@plope.com> wrote:
> On 4/11/09 8:10 PM, Tim Hoffman wrote:
>> If someone where coming to the Zope party now and needed the full
>> blown security model and view mechanisms, and the zcml tied to that
>> model what would the choice be going forward?
>> repoze.bfg has pretty much gutted that model (which is fine as a
>> simpler model is definately required, I am planning to revisit bfg
>> with my zope on gae work)
> As far as I know, the only bit that BFG doesn't have out of the box (or at
> least in combination with an authentication system like repoze.who) that
> Zope 2 or Zope 3 does is the concept of allowing untrusted users to write
> code (e.g. "TTW code").
> All other concepts present in Zope 2/3 that I know of can be composed using
> the out-of-the-box BFG primitives of context-sensitive security (via ACLs
> attached to model objects), view permissions, and principals.  Because the
> only code that is published to the web within BFG is view code, no other
> security is required for "belt and suspenders"; for example, you don't need
> to protect model methods because there's just no way they'll be invoked
> within a BFG application.
> For more information, see http://docs.repoze.org/bfg/narr/security.html .
> - C
Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to