[z3-five] Re: securing five products
Philipp von Weitershausen
philipp at weitershausen.de
Fri Apr 1 15:58:56 MEST 2005
Tarek Ziadé wrote:
> Hi list,
>
> what would be the steps for a five based product to set security ?
>
> -> setting "regular" zope 2 security infos, in all methods, as usual
> but just in view classes
Setting security information using a zope 2 security info objects and
the so-called declarative security syntax is discouraged, mainly because
it mixes security declarations into your code.
With Five, security declarations can be made through ZCML, very much in
the same way as in Zope 3. Below the hood, Five will use a security info
object; the difference is that you separate it from your actual
application code.
> -> setting zope2.something permission attributes in the zcml for all
> browser:page
You want to protect your browser:pages with a permission and your
content objects' attributes and methods too (because they might
otherwise be accessible through regular Zope 2 traversal and e.g. XML-RPC).
So, you do
<content class="...">
<require ... /> <!-- protect whatever you need to protect -->
</content>
<browser:page
...
permission="..."
/>
Philipp
More information about the z3-five
mailing list