[Zope-PAS] role management

Wichert Akkerman wichert at wiggy.net
Sat Jan 21 10:37:07 EST 2006


Previously Jens Vagelpohl wrote:
> Roles are "global". User objects get them assigned upon creation.  

Upon creation of what?

> Local roles are only used within the context they are defined in. So  
> if user "A" has role "Member" after authenticating at the root in / 
> acl_users, and he has a local role "Manager" in /members/A, then  
> security validation will recognize him as Member and Manager for all  
> items accessed in or underneath /members/A, but only as Member  
> everywhere else.

Right.

> If ZODBRoleManager does not "see" global roles added after its  
> instantiation then that's a bug.

ZODBRoleManager only adds and updates roles in itself and never in the
RoleManager, which suggests that it is meant to take over global role
management completely. So I'm thinking that it should either indeed take
that role and implement an interface for it, or not and always use
__ac_roles__ from the closest containing RoleManager instead of using
its internal data structure.

Wichert.

-- 
Wichert Akkerman <wichert at wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.


More information about the Zope-PAS mailing list