[z3-five] Security and Five

[Sidnei da Silva]

On Sun, Jun 20, 2004 at 12:52:18PM -0300, Sidnei da Silva wrote:
| It seems to me that the right way to handle this is to have a
| <require> and <allow> subdirectives to the <five:page> directive
| instead. I don't remember from the top of my head how security in
| views is handled.
| 
| If I am correct, doing security decls in python as it was done in
| FiveViewsDemo before my changes didnt work either. Martijn, can u confirm?

Scratch that. The problem seemed to be that BrowserView didnt validate
security against the __page_attribute__ method. I added the security
check there and a 'permission' attribute to the five:page directive to
protect the page. That was when I realized that a page is usually a
single attribute of a view class.

| For content, the security decls in zcml should be working just fine as
| there's no metaclass involved.

I changed FiveViewsDemo.simplecontent.SimpleContent to use
five:content directive, and it seems to work like a charm. Yay!

As far as security is concerned, I think we are good enough to
go. There are more features on zope2 security, like setDefaultAccess
and declareObjectProtected, but I think we shouldn't go there. Most
people don't even know those exist, and they don't have counterparts
in z3. Even declarePrivate doesn't have a counterpart in z3. *wink*

Martijn, tell me what you think about it this far. I would suggest to
move some files around, to make the package a bit more consistent. (eg:
fiveconfigure.py to handlers/five.py, fivedirectives to
directives/five.py, and so on)

-- 
Sidnei da Silva <sidnei at awkly.org>
http://awkly.org - dreamcatching :: making your dreams come true
http://www.enfoldsystems.com
http://plone.org/about/team#dreamcatcher

The value of a program is proportional to the weight of its output.