[Zope3-dev] Initial thoughts on the Zope3 security framework

[Martijn Faassen]

Shane Hathaway wrote:
> >Yes, that's correct. There has been some talk recently about making them 
> >more
> >centralized for reasons of making them easier to catalog, but nothing
> >yet has come out of that. And I rather like the principle of having each
> >branch of the tree be a tree by itself in Zope. Even so, perhaps Shane
> >should in a word about his catologing use case .
> 
> I've had some more thoughts on that--it occurred to me that the catalog 
> actually could take over the knowledge of local roles, and could use any 
> strategy it likes, since it is after all an object index.

So there would be no local role information anywhere in the tree, just
in the catalog, and the trees itself can query this local role core service
to determine whether a user has permissions or not.

Or do you mean we simply catalog the local role information, and we have
a catalog that uses something like path indexes to determine whether someone
has access?

> We could make the catalog build a second table, or perhaps it could be
> another index.

I'm not sure I understand.

> In any case, I think I'll back down on this issue.

Hm, what're you backing down on? :)

> Centrally manageable security, OTOH, seems like a good goal anyway.

Centrally *manageable* yes, but I'd like every subtree to be as independent
at the same time, which is another good goal. What I take as the center
where I'm managing from should ideally be any branch of the tree I pick..

Regards,

Martijn