Jim Fulton wrote:
Christian Theune wrote:
Is this intentional?

Yes.  self is never proxied.

I'll just note as a data-point that this surprised me as well. I noticed that some things in Zope 3 weren't giving me authorization errors as I expected, even though as I was swamped in them at that point during development I wasn't really regretful of that. :) I just got this suspicious feeling something was off. Finally I discovered it was the 'self' thing (actually, utilities you pull in aren't security proxied as well).

That this is a surprise at the very least indicates that this needs to be clearly documented somewhere, though perhaps it is and I missed it.

It worries me a bit -- reasoning about security proxies reminds me a bit too much about the reasoning about acquisition wrappers and such that I have to struggle through with Zope 2. I know it worries Jim too, but he says making it better needs a deep study of security usability first, and I believe him. :)


Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to