[Zope3-dev] Initial thoughts on the Zope3 security framework

Guido van Rossum guido@python.org
Sun, 09 Dec 2001 14:45:15 -0500 

[me]
> > OK, that makes sense -- just as there can be user folders sitting
> > anywhere in a tree, there can be roles defined anywhere in the tree,
> > and they propagate down in the same way.  Right?

[Ken]
> Close.

This suggests I wasn't quite right (as in "close, but no cigar"), but
the rest of what you write doesn't explain where I was wrong.

> Local roles map roles to user ids within the context of an object in the
> database.  Eg, a folder may grant local role "reviewer" to joe_user, so
> joe_user account gets reviewer role within the folder.  The role mappings
> obtain for objects contained within the folders, so the local roles apply
> for objects in the folder and in subfolders.

Since when can "obtain" be used intransitively?  What does "X obtains"
mean?

> Local roles have played a pretty central role in most or all of the Zope
> applications i've written - they're how the people with particular roles
> in the application are assigned those roles.
> 
> Eg, in collector instances, the manager of the instance designates
> supporters, effectively giving those accounts the 'reviewer' role within
> the context of that collector. (Local roles associate role names with
> account names.  Permission-to-role associations are separate mappings,
> also associated with objects, and optionally acquired within them.)
> These role assignments obtain for all the contained issues.  Along similar
> lines, the person who submits an issue gets something to the effect of a
> 'creator' role within the context of the issue, getting the the creator's
> permissions.
> 
> I have some complaints with the current local roles implementation of
> local roles - i usually need to incrementally adjust role assignments in
> ways that require iterating over the collection, and as martijn suggests
> the TTW interface doesn't scale to sites with large numbers of users - but
> all these complaints are superficial.  I think many Zope applications use
> them the way i describe, and they're the right way to do it - they're a
> key means to effectively employing Zope security...

I still don't see where my interpretation was off base.

--Guido van Rossum (home page: http://www.python.org/~guido/)