Benji York wrote:
Martijn Faassen wrote:

* after object creation but before the object is added,
  various things are done to the object.

 > * authorization error: user cannot access various attributes.

If these things are done by subscribers, would using trusted subscribers help?

I guess it could; I've used a trusted adapter in a few places to get around security concerns.

However, not everything is done by subscribers. I have a little workflow system that in some cases can create new versions of objects, for instance.

My frustration is more that one has to do *something* special than that there aren't any solutions. Knowing to use trusted subscribers and having to design ones application around them would be another thing one would need to know to 'please' the security system. I know of course that security is hard, so maybe there's no way than to just bite the bullet...

But it still leaves me wishing; it's rather easy to break the security of an application.

Perhaps I'm wishing for a system where a lot more can be made trusted easily. As far as I understand right now it's possible with adapters, and apparently subscribers (I didn't know this, so I may be missing more).

Perhaps the answer is different altogether. And again, perhaps it's just going to be either hard or insecure, pick one. :)


Zope3-dev mailing list

Reply via email to