Jim Fulton wrote:
Christian Theune wrote:
Is this intentional?
Yes. self is never proxied.
I'll just note as a data-point that this surprised me as well. I noticed
that some things in Zope 3 weren't giving me authorization errors as I
expected, even though as I was swamped in them at that point during
development I wasn't really regretful of that. :) I just got this
suspicious feeling something was off. Finally I discovered it was the
'self' thing (actually, utilities you pull in aren't security proxied as
That this is a surprise at the very least indicates that this needs to
be clearly documented somewhere, though perhaps it is and I missed it.
It worries me a bit -- reasoning about security proxies reminds me a bit
too much about the reasoning about acquisition wrappers and such that I
have to struggle through with Zope 2. I know it worries Jim too, but he
says making it better needs a deep study of security usability first,
and I believe him. :)
Zope3-dev mailing list