[z3-five] Re: Todo list discussion

Martijn Faassen faassen at infrae.com
Tue Jun 29 13:54:46 MEST 2004 

Philipp von Weitershausen wrote:

[running without security wrappers]

> So, to let me understand this:
> 
> - Zope 2 Page Templates, like PythonScripts, are bound so that 
> everything they want to do is subject to not only expensive but also 
> very restricting security checks. DTML ignores that which seems not only 
> be more secure in the end, but also less error-prone and faster.

Well, very restricting I don't know. But worrying about security on 
multiple levels can make one think too hard, and as a result not do 
security as well. This because you have to think about a far larger API 
that needs to be exposed using the security system. In Zope 2, you're 
never going to get it *always* checked, anyway, as you have trusted code 
everywhere too.

> - Zope 3 Page Templates, like any other component in Zope3, doesn't do 
> explicit security checks; instead, it deals with other objects as usual; 
> however, security is still enforced in 'untrusted' environments, e.g. 
> when objects are retrieved during a user interaction that acts with a 
> certain legimitacy. These objects are security wrapped; these security 
> checkers perform checks, but nearly transparently.
> 
> - In Five, we feed Zope 2 objects (which are not security wrapped) to 
> Zope 3 Page Templates. That means once the Page Template is executed, 
> neither the Page Template, nor some security proxies nor the objects 
> themselves will perform security checks. This doesn't matter to us since 
> we protect the overall Page Template with a permission, e.g. in the 
> <browser:page> ZCML directive.
> 
> If that last statement is correct, why would Zope 3 need security proxies?

I don't know, ask Jim. :) There are of course people who have argued 
against them from the beginning, suggesting things like security checks 
at the outside only (like Five now has), or things like capability based 
security models.

I can see the use case for explicit security checking, especially when 
it is non-intrusive like in Zope 3. In Zope 2, we have a hybrid model 
anyway, so I am not too concerned a page template on the filesystem is 
running in trusted mode, just like a python method on the filesystem.

Of course a security model for code is needed anyway, if you have 
clearly untrusted through the web ways to add code. Security wrappers 
make sense there. Five doesn't tackle that at this stage though.

Regards,

Martijn

More information about the z3-five mailing list