[Zope3-dev] Initial thoughts on the Zope3 security framework
Guido van Rossum
guido@python.org
Sun, 09 Dec 2001 14:45:15 -0500
[me]
> > OK, that makes sense -- just as there can be user folders sitting
> > anywhere in a tree, there can be roles defined anywhere in the tree,
> > and they propagate down in the same way. Right?
[Ken]
> Close.
This suggests I wasn't quite right (as in "close, but no cigar"), but
the rest of what you write doesn't explain where I was wrong.
> Local roles map roles to user ids within the context of an object in the
> database. Eg, a folder may grant local role "reviewer" to joe_user, so
> joe_user account gets reviewer role within the folder. The role mappings
> obtain for objects contained within the folders, so the local roles apply
> for objects in the folder and in subfolders.
Since when can "obtain" be used intransitively? What does "X obtains"
mean?
> Local roles have played a pretty central role in most or all of the Zope
> applications i've written - they're how the people with particular roles
> in the application are assigned those roles.
>
> Eg, in collector instances, the manager of the instance designates
> supporters, effectively giving those accounts the 'reviewer' role within
> the context of that collector. (Local roles associate role names with
> account names. Permission-to-role associations are separate mappings,
> also associated with objects, and optionally acquired within them.)
> These role assignments obtain for all the contained issues. Along similar
> lines, the person who submits an issue gets something to the effect of a
> 'creator' role within the context of the issue, getting the the creator's
> permissions.
>
> I have some complaints with the current local roles implementation of
> local roles - i usually need to incrementally adjust role assignments in
> ways that require iterating over the collection, and as martijn suggests
> the TTW interface doesn't scale to sites with large numbers of users - but
> all these complaints are superficial. I think many Zope applications use
> them the way i describe, and they're the right way to do it - they're a
> key means to effectively employing Zope security...
I still don't see where my interpretation was off base.
--Guido van Rossum (home page: http://www.python.org/~guido/)