[z3-five] Unexpectedly unprotected code
Martijn Faassen
faassen at startifact.com
Wed Jan 31 17:12:54 CET 2007
Chris Withers wrote:
> Martijn Faassen wrote:
>> My ideas have evolved to the point that I like trusted code more and
>> more, and I'm not sure it's worth the effort to expend a lot of time to
>> make untrusted code work.
>
> Oh I dunno, I think this an exceptionally important use case which the
> Zope community seems to be ignoring more and more and which used to be
> the main thing that brought people to Zope: the ability for a trusted
> but not necessarily fully competent user to write code while protecting
> them from accessing data they shouldn't and trying to help them not
> shoot themselves in the foot...
>
> I think that's still well worth doing...
I agree the use case exists. I'm not sure how important it is, though
traditionally it's been quite important to Zope 2.
I think there are a lot of *other* things we should be doing first to
make an inexperienced developer happier with Zope 3. Some of those
things we've been trying to do with Grok.
One of the things that bugs me even as an *experienced* developer is
that Zope 3's pervasive security has a heavy cost during development. It
happened to me quite frequently I had to debug why Zope 3 didn't let me
do something I should do, and I had to dig through ZCML files and add
security declarations quite often, and mess about with __parent__ quite
often, and use removeAllSecurityProxies() and such quite often. I
consider this very off-putting to any developer, experienced or not.
Regards,
Martijn
More information about the z3-five
mailing list