[Zope3-dev] Initial thoughts on the Zope3 security framework

[Shane Hathaway]

Martijn Faassen wrote:

> Guido van Rossum wrote:
> 
>>>Hm, at least I know 'local role'. A local role is a role a user receives
>>>dependent on what object he tries to access. I.e. I may have role 'manager'
>>>in one place while only role 'anonymous' in another. Local role permissions
>>>are acquired by subobjects. Currently local roles are settable in a
>>>non-scalable sad stepchild screen in the ZMI hanging off the 
>>>security tab. They're pretty common in the types of sites I design,
>>>so I'm glad to see they're gaining a more central place; non-local roles
>>>are only a specialization of local roles, as they should be.
>>>
>>OK, that makes sense -- just as there can be user folders sitting
>>anywhere in a tree, there can be roles defined anywhere in the tree,
>>and they propagate down in the same way.  Right?
> 
> Yes, that's correct. There has been some talk recently about making them more
> centralized for reasons of making them easier to catalog, but nothing
> yet has come out of that. And I rather like the principle of having each
> branch of the tree be a tree by itself in Zope. Even so, perhaps Shane
> should in a word about his catologing use case .

I've had some more thoughts on that--it occurred to me that the catalog 
actually could take over the knowledge of local roles, and could use any 
strategy it likes, since it is after all an object index.  We could make 
the catalog build a second table, or perhaps it could be another index. 
  In any case, I think I'll back down on this issue.

Centrally manageable security, OTOH, seems like a good goal anyway.

Shane