[Zope] How to organize users in "groups"

Phil Glaser StillSmallVoice@DirectvInternet.com
Fri, 11 Oct 2002 14:40:54 -0400 

Hi,

I'm building a CMF site for a client who wants to organize users within
groups. The twofold purpose of this organization is: 1) to be able to send
mail to specific constituencies of users; and 2) to assign permissions to
specific constituencies of users. My client wants the application to have
it's own custom administrative interface (he does not want the site's
administrators to be exposed to ZMI) that will enable the administrators to
set permissions for specific groups on specific folders. The permissions
that the administrator sees may be simplified versions of the more complex
sets of permissions you see through ZMI. For example, for a folder the
administrator would only see the permissions "No Access," "Read Only,"
"Submit File," and "Approve File." It is also important to know that the
site is structured as multi-community portal. In other words, members are
defined at the level of the portal, and they will have permission to belong
to specific communities within the portal. Each community will have the same
functionality (content folders, discussions, news, etc.) but the content
will be different for each.

It seems to me that the simplest way to do this is is to implement a "group"
as a role. In other words, what my client is calling a "group" would be the
equivalent of a Zope "role." When the administrator adds a new group, he
would under the hood be adding a new role. When he adds a user to one or
more groups, he would be associating the user with the roles (users need to
be able to belong to more than one group at a time). Listing the members of
a group and sending mail to them would mean filtering the user objects based
on their role (assuming this can be done). As for the simplified
permissions, there would need to be a dictionary in a script that correlates
each of these simple permissions with one or more of the native Zope
permissions.

I think the only major problem with my approach stems from the fact that the
groups/roles would be different for each comunity -- they would not apply to
the entire portal. However, users would still be defined at the portal level
because they will have access to multiple communities. Through ZMI, it looks
like you can only assign a role to a user if the role has been defined at
the same level as the user in the hierarchy or at a containing level in the
hierarchy; in this case, I want to be able to assign a role that has been
defined at a level below the level at which the user is defined.

So my question is: is there a workaround for assigning a role to a user when
the role is defined further down in the hierarchy from where the user is, or
is there some other way entirely that I should be solving this problem?

Many thanks!

Philip Glaser
Principal and Software Architect
Sustainable Software Solutions, LLC
StillSmallVoice@DirectvInternet.com
www.sustainsoft.com
973-951-9522