Hi all,
I'm a newbie to Zope 3, but I immediatly had very "good vibes" about it. I started developing a test application. Where I immediatly got some problems was when I had to deal with the security model.

I illustrate my point. In the system I'm writing, users can register and create objects inside the system. The security system should be quite simple: a user can access the view page of every object, but not the edit page, unless he/she is the author. Well, things are more complex, but this already is proving me problems.

I think it's pretty evident that the default security policy isn't enough for me. That is because I don't have a fixed number of principals in my system to declare, and thus I cannot map permissions to principals or permissions to views via the zcml. E.g.: the edit page of an object, could have something like a OwnerCanEdit permission. But then, how can I write a user-yet-to-be-created has this permission? Moreover, this mapping isn't so straightforward (the "edit" view is accessible by a user if he is the author of the context, but is not if he's not the author).

So, I started writing my own Credential plugin [I'm sure there's already a credential plugin which works with cookies, but it was mostly an exercise to me] and an Authenticator Plugin [which hooks in the user database I had created]. Point is, I haven't the slightest clue on how to write my own security policy.

All in all, what I miss is a resource (or, more likely, a set of resources) where the whole problem of the security is taken from the zope 3 application writer point of view. Documentation of zope3 is good enough about the PAU, but I can't find enough informations about the security policy nor any clear explanation about how this all is integrated in a site.

Anyone can give me some hints about the correctness of what I said in this mail and point me to some documentation?

Mattia "RedGlow" Belletti
http://thick.foschia.info - http://anacrusi.splinder.com

Zope3-users mailing list

Reply via email to