[Zope-PAS] role management

Jens Vagelpohl jens at dataflake.org
Thu Jan 19 18:31:10 EST 2006


On 19 Jan 2006, at 22:55, Wichert Akkerman wrote:
> Currently adding roles through a RoleManager breaks ZODBRoleManager:
> it reads a list of all roles when it created and assumes they do not
> change after that. If you add a new role you can do that through
> a RoleManager directly, but ZODBRoleManager will not notice and  
> will not
> enumerate it.
>
> Can someone enlighten me as to how roles and local roles really  
> differ,
> and why every folder has both?

Roles are "global". User objects get them assigned upon creation.  
Local roles are only used within the context they are defined in. So  
if user "A" has role "Member" after authenticating at the root in / 
acl_users, and he has a local role "Manager" in /members/A, then  
security validation will recognize him as Member and Manager for all  
items accessed in or underneath /members/A, but only as Member  
everywhere else.

If ZODBRoleManager does not "see" global roles added after its  
instantiation then that's a bug.

jens



More information about the Zope-PAS mailing list