I'm a newbie to Zope 3, but I immediatly had very "good vibes" about
it. I started developing a test application. Where I immediatly got some
problems was when I had to deal with the security model.
I illustrate my point. In the system I'm writing, users can register
and create objects inside the system. The security system should be
quite simple: a user can access the view page of every object, but not
the edit page, unless he/she is the author. Well, things are more
complex, but this already is proving me problems.
I think it's pretty evident that the default security policy isn't
enough for me. That is because I don't have a fixed number of principals
in my system to declare, and thus I cannot map permissions to principals
or permissions to views via the zcml. E.g.: the edit page of an object,
could have something like a OwnerCanEdit permission. But then, how can I
write a user-yet-to-be-created has this permission? Moreover, this
mapping isn't so straightforward (the "edit" view is accessible by a
user if he is the author of the context, but is not if he's not the author).
So, I started writing my own Credential plugin [I'm sure there's
already a credential plugin which works with cookies, but it was mostly
an exercise to me] and an Authenticator Plugin [which hooks in the user
database I had created]. Point is, I haven't the slightest clue on how
to write my own security policy.
All in all, what I miss is a resource (or, more likely, a set of
resources) where the whole problem of the security is taken from the
zope 3 application writer point of view. Documentation of zope3 is good
enough about the PAU, but I can't find enough informations about the
security policy nor any clear explanation about how this all is
integrated in a site.
Anyone can give me some hints about the correctness of what I said in
this mail and point me to some documentation?
Mattia "RedGlow" Belletti
http://thick.foschia.info - http://anacrusi.splinder.com
Zope3-users mailing list