[Zope-PTK] Roles, Groups, Security and Group Membership

Dan L. Pierson dan@sol.control.com
Wed, 5 Jul 2000 09:58:32 -0400 (EDT)

Chris Withers writes:
 > Monty Taylor wrote:
 > > Am I making any sense at all? Does anyone see either a need for doing
 > > this or a way to do it? If it requires changes to PTK core, would anyone
 > > be interested in those, or should I throw them in my pile of dirty little
 > > secrets that no one should really know exist?
 > You're making perfect sense and I think it's a Zope problem partly, and
 > also a PTK problem.

I agree that what you (Monty) want's is needed and seems to be missing.

 > The Zope problem is that Zope security has no idea about Groups.
 > As in Users/Members exist
 > There may have roles
 > They may also be members of Groups.
 > Groups may also be members of Groups.
 > Groups may also have roles associated with THEM.
 > Other major security systems I can think of (LDAP, Unix, NT, Notes) all
 > have this concept but Zope does not :(

So far I've been getting by with group specific roles
(e.g. Archive_Manager, instead of Manager), but I've barely scratched
the surface of this and already have run into problems with other
products.  Most manage_* methods return manage_main if REQUEST is
set.  They should only return it if the user has the right to see it!

 > Should this part of the discussion be moved to zope-dev?

Well, my previous comment maybe, but some of this is PTK specific.

 > Okay, for the PTK bit, it's similar but different. The PTK only has the
 > concept of Users as members, each of whom have their own user area.
 > I think this is a bad starting point. I reckon groups should be members,
 > and groups should have their own areas, perhaps in /Groups/ or some such
 > in addition to the stuff in /Members. A User would then be able to edit
 > content in their member folder as well as content in the group folders
 > of any groups they belong to.

I'm not sure that this is either necessary or desireable.  I'd hate
for simple PTK users to have to set up a group hierarchy to get
started.  It seems to me that group membership is an attribute of a
Member, like home folder.  The publishing logic could then look at
this attribute (these attributes? It may not be that simple.) to
determine whether to automatically publish something or hold for
review.  I.E. the problem may not be the Zope security system, it may
be the PTK using Zope security instead of a private mechanism.