[Zope3-dev] Initial thoughts on the Zope3 security framework
Martijn Faassen
faassen@vet.uu.nl
Tue, 11 Dec 2001 15:14:48 +0100
Jim Fulton wrote:
> Martijn Faassen wrote:
> >
> > Ken Manheimer wrote:
> > [snip]
> > > I think that, ideally, it's relatively rare to create new roles, while
> > > role-to-permission mappings are typically adjusted on a per-product basis,
> > > and role-to-account mappings are adjusted (using local roles) on a
> > > per-instance basis to assign privileges to particular users within the
> > > context of the instance.
> >
> > While this seems to make sense, it doesn't seem to include the use case
> > where I want to close a certain section of the site to anonymous.
>
> I'm not sure exactly what that means.
I meant that role-to-permission mappings are frequently adjusted on
a per instance basis, as opposed to on a per-product basis. The per-instance
basis mapping needs to happen in order to close off sections of a site
to anonymous. Perhaps there's a better way that uses local roles only,
but I haven't thought of one yet.. perhaps there's a possibility for a
'viewer' core role, and an anonymous *group* which everyone who hasn't
authenticated is part of -- then you need a way to assign a viewer role to the
anonymous group in the root of the site, and also the possibility to take
it away again in those sections of the site you don't want anonymous
users to view.
Regards,
Martijn