[Zope-PAS] Re: PluggableAuthService question about roles
Wichert Akkerman
wichert at wiggy.net
Tue Apr 3 03:18:31 EDT 2007
Previously Tres Seaver wrote:
> The installer for a 'Plone Site' replaces the root acl_users with a PAS:
> I've argued that this is poor practice (inexcusably rude, actually),
> but they seem determined to continue it.
Rewriting the PlonePAS install code and checking if we can remove the
root acl_users changing logic is on my todo list. The whole PlonePAS
install code is somewhat nasty unfortunately.
> > Now I can only add users from the ZODB User Manager under /acl_users/users,
> > there is nowhere to add a user from an Add buttion as in the older version of
> > Zope.
>
> Correct. In PAS, there are actually potentially muttiple user sources
> (e.g,, SQL, LDAP, NTLM, etc.). Adding them to the 'ZODB users' plugin
> is the "cognate" of the od "Add" button.
I started writing some PAS documentation recently that may give some
useful background information. You can find it at
http://plone.org/documentation/manual/pas-reference-manual
> > I can add roles from ZODB Role Manager in /acl_users/roles but these roles
> > don't show up under the Security tab on any page. I can add local roles
> > under the Security tab and they don't show up in /acl_users/roles.
>
> Correct. The roles in the PAS plugin are used to control "global"
> grants to the users; the roles you set on a folder (even the root), are
> about "local" grants.
The is (imho) a buglet here: creating new roles now involves creating
both in the PAS roles manager and in the ZMI security tab.
ZODBRoleManager takes a snapshot of all existing roles in its
manage_afterAdd method, but never updates that list later.
Following your logic it would make more sense if the ZODBRoleManager
did not make a snapshot of existing roles to make the distinction
between global and local roles more obvious.
The whole local vs global roles thing always seems to get me confused
though.
> > Am still searching the WEB and archives in the meantime.
>
> The better list for this would be zope-pas at lists.zope.org (CC'ed), which
> deals with PAS specifics.
How do zope-pas at zope.org and zope-pas at lists.zope.org related to
each-other? I've always wondered that.
Wichert.
--
Wichert Akkerman <wichert at wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
More information about the Zope-PAS
mailing list