[Zope-Coders] Re: Changes to ObjectManager, Role, and User in Zope2

[Tres Seaver]

Chris McDonough wrote:
> On Wed, 2004-03-17 at 10:25, Zachery Bir wrote:
> 
>>So, as it is, while we except the Anonymous User from playing in 
>>setting the local role of Owner, we don't except the Emergency User 
>>from doing so, but in doing so, the Emergency User will never get back 
>>those roles assigned to it.
> 
> 
> Given the shortcuts performed by the security machinery for the
> emergency user, he probably doesn't really need the local role.  Your
> current patch looks good in that respect.
> 
> 
>>I propose the following changes to OFS.ObjectManager._setObject:
>>
>>         if set_owner:
>>             object.manage_fixupOwnershipAfterAdd()
>>
>>             # Try to give user the local role "Owner", but only if
>>             # no local roles have been set on the object yet.
>>             if hasattr(object, '__ac_local_roles__'):
>>                 if object.__ac_local_roles__ is None:
>>                     user=getSecurityManager().getUser()
>>                     if user is not None:
>>                         id=user.getId()
>>                         name=user.getUserName()
>>                         if name != 'Anonymous User':
>>                             object.manage_setLocalRoles(id, ['Owner'])
> 
> 
> Your current patch is better, I think.
> 
> 
>>The only thing this might obscure is an intention to provide for 
>>emergency users and anonymous users to always share the same local 
>>roles (since both would be mapped to and accessed with None as the key)

No, they should never *have* local roles at all.  It is an error to 
assign local roles to either one, which is why they don't have IDs.  The 
fact that some code used 'getUserName' instead of 'getId' is s mere bug, 
not a sign of intent.

> It would make sense for the emergency user and the anonymous user to
> have distinct user ids as having them be the same seems like it might
> become a security issue waiting to bite someone who is not completely
> familiar with security internals.  Also, although neither the anonymous
> user nor the emergency user are presented as options on the local roles
> tab, if they do happen to be granted local roles programmatically,
> seeing "None" granted roles on the local roles screen is probably going
> to confuse people.

-1.  If we don't give them user IDs, then we won't be able to grant them 
local roles, n'est-ce pas?  And since neither of them should ever *need* 
local roles, we shouldn't give them IDs.

> To make life simple, maybe we should just give the anonymous user an id
> of 'Anonymous' and the Emergency User an id of 'Emergency' and create a
> "isSpecialUser" function that the _setObject code calls to figure out
> whether it should grant local roles or not.  A more complicated way
> would be to create a persistent SpecialUserId class that always
> evaluated to false, then the _setObject code could stay as it is, but it
> might break some other existing code.

If we modify '_setObject; and the rest of the code in Zope which assigns 
/ checks local roles to bail early if the ID is None, then the problem 
goes away.  If third-party code has been assigning local roles to the 
ID, 'None', it already deserves to lose.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com