[Zope-CMF] A very long permissions list ;-)

[Chris Withers]

Hehe... this thread has been dormant for a month, but with the release of
the Workflow tool I thought I'd wake it up again ;-)

> > > Here is our plan: the configurable workflow will take over the role ->
> > > permission -> method mappings.  There are several current views on the
> > > specifics, but essentially the workflow will manage security.
Workflows
> > > can manage security in more flexible ways, such as allowing access to
> > > methods based on object state.
> >
> > How will they interact with the security machinery and normal Zope
permissions?
>
> The workflow will take over security computation at whatever point it
> sees fit: it might remap permissions, roles, users, or even methods
> themselves.  That's the plan.

...how did the implementation turn out? What is it that actually happens
now? Also, can you explain for a simpleton (me ;-) how this overcomes the
n-dimensional security problem that started off this thread?

> In CVS it has been revised somewhat: portal_workflow is now a folder
> where you can assign types to workflows.  I think it makes several
> things clearer.  You should read the API documentation on the
> portal_workflow tool, especially the WorkflowDefinition interface.

Okay, had a quick skim. Has anything significant changed on this over the
last month?

> What do you mean?  Are you saying the workflows would manually remap
> permissions?  That's actually what is done now and there are problems
> with it, such as not being able to explicitly disable a role to
> permission mapping without embedding role names in objects.

Hmmm, the implication was that there should have to be things like
permission checks in skins code that semi-trusted users could take out. The
alternative view that supports this is that all security assertions should
encapsulated in one place. Is that place now the workflow tool? should it
be?

cheers,

Chris