[Zope] Changing Roles

Michel Pelletier michel@digicool.com
Thu, 23 Mar 2000 06:25:32 -0800


Your question addresses a fundamental lack in Zope.  Zope was developed
internally in a closed source fasion for years to address the needs of
paying customers.  These customers typically did not design applications
themselves, we did all of that.  Therefore, much of Zope's API is fairly
oriented toward specific directions and there are big gaping holes.

Don't let that discourage, you, there are big gaping holes in all
software.  We are working on a project right now to come up with a solid
undertanding of interfaces in Zope.  While this may seem like a simple
task, it is not, but we are working on it and we are making progress. 
Here, you have come upon a hole, there is a method that lets you do a
number of things in one call but there are no decomposed methods that
let you do finer grained tasks.  This kind of situation is common, not
just in Zope, but in lots of software where extensability is very
important.

Unfortunatly, this is a gnarly problem.  For example, if we decompose
manage_users() into a number of smaller methods, it would make sense for
us to re-implement manage_users() to use those methods.  But this
involves not only writing a bunch of new methods but also taking solid
proven code and discarding it for new code, based on even _newer_ code. 
This problem becomes almost nauseatingly dificult when you consider that
we could turn this process to all objects in Zope, Folders,
ObjectManagers, ZCatalogs... And while it may seem clear there should be
so and so methods to decompose to, we need to make sure we think hard
about issues like, should they be callable via XML-RPC?  Will this new
method reveal a security exploit?  etc...

I don't want to take the wind out of your sails, perhaps you could
suggest some improvments, all the code is there.  For now we are taking
small steps, document what is there, propose a framework for sensible
extension, and then fill in some of the gaps, and tear down some of the
cruft.  I will make a note of your question for when we get to security.

-Michel


> 
> Hi,
> 
> A simple question, but getting a bit irritating...
> 
> How can I change the roles assigned to a user without knowing their password?
> 
> The form to do this has password fields which come up blank, and you can't submit the form without
> filling them in.
> 
> I don't want to know what the user's password is anyway, I just want to change the assigned roles...
> ;-)
> 
> HSCH,
> 
> Chris
> 
> PS: Zope 2.1.4 and 2.1.6...
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )