[Zope] List All users with a given permission

Stuart 'Zen' Bishop zen@cs.rmit.edu.au
Thu, 21 Oct 1999 09:23:13 +1000 (EST) 

On Tue, 19 Oct 1999, Michel Pelletier wrote:

> > From: Stuart 'Zen' Bishop [mailto:zen@cs.rmit.edu.au]
> > 
> > I suddenly find myself with a need to populate a list box with
> > all users with a given permission on a particular object.
> > Is there any nifty method hidden away to do this? Or would I be
> > reduced to crawling up the tree looking for userfolders and iterating
> > over the contents (could be a bit sluggish with 3000+ users...)
> 
> Uhhhh....  I suspect this can't be done, especially since user's
> permissions can change from object to object..that's not even the hard
> part.  I could be completly wrong, I'm not the security guru around
> here.
> 
> > Perhaps I'll just require tying the username and verifying on form
> > submission :-)

It gets worse, and I'd really like to hear peoples ideas on doing this,
or alternative designs.

The situation:

    I'm writting a work flow system (well... problem tracking system except
I don't want it to be technician specfic). I need to find all people with
the 'Change Job' permission for the following reasons:
    - Populate a selection control to assign someone to a job
    - When a new job is submitted, email everyone with the 'Change Job'
      permission

I need a method that will retrieve a list of all users with a given 
permission on a given object. I think I can do it with the following
code, but I think it will be painfully slow with over 3000 users
unless I cache the results:
    <dtml-in "object.get_valid_userids()">
	<dtml-if "_['sequence-item'].has_permission('Change Job',object)">

	    Append sequence-item to a list

	</dtml-if>
    </dtml-in>

Even if I cache the results, someone will get a very slow response if
that cache has expired when they make their request (precaching anyone?
Or spawning a background task to fill out the new values in a seperate
transaction whilst reusing the old values?)

All the alternatives I've come up to not need this information are painful:
    - Shadow the list of users with the required permissions in the area.
      This is just plain unmaintainable if it has to be done manually (after
      creating a user, go through the queues and areas adding them to the
      right lists). It might be possible to shadow the list automatically
      by crawling up the tree occasionally and calling has_permission
      for each user object I find (assuming I can retrieve a user lists
      from all the user folders above me).
  
    - Provide a DTML hook for the Zope administrator to rewrite - it
      would return a list of relevant users. This makes installation
      and maintenance non-trivial (instead of just point-and-drool granting
      of a permission to a role, DTML code would have to be written and
      tested).

 ___
   //     Zen (alias Stuart Bishop)     Work: zen@cs.rmit.edu.au
  // E N  Senior Systems Alchemist      Play: zen@shangri-la.dropbear.id.au
 //__     Computer Science, RMIT 	 WWW: http://www.cs.rmit.edu.au/~zen