[Zope3-dev] Initial thoughts on the Zope3 security framework

[Martijn Faassen]

Guido van Rossum wrote:
> > Hm, at least I know 'local role'. A local role is a role a user receives
> > dependent on what object he tries to access. I.e. I may have role 'manager'
> > in one place while only role 'anonymous' in another. Local role permissions
> > are acquired by subobjects. Currently local roles are settable in a
> > non-scalable sad stepchild screen in the ZMI hanging off the 
> > security tab. They're pretty common in the types of sites I design,
> > so I'm glad to see they're gaining a more central place; non-local roles
> > are only a specialization of local roles, as they should be.
> 
> OK, that makes sense -- just as there can be user folders sitting
> anywhere in a tree, there can be roles defined anywhere in the tree,
> and they propagate down in the same way.  Right?

Yes, that's correct. There has been some talk recently about making them more
centralized for reasons of making them easier to catalog, but nothing
yet has come out of that. And I rather like the principle of having each
branch of the tree be a tree by itself in Zope. Even so, perhaps Shane
should in a word about his catologing use case .

Regards,

Martijn