[Zope3-dev] Initial thoughts on the Zope3 security framework

[Lennart Regebro]

From: "Lalo Martins" <lalo@hackandroll.org>
>   In Zope 2.x it's still usual to have "global" roles for an user, but
>   they're not really global - the role holds wherever the user holds,
>   but remember the user is also local, so a role defined in the user
>   object is more or less the same as a local role on the same context.

First I thought, "No, thats all wrong", an then I realized that, no it
isn't. It's just a difference for us at Torped, since we have changed the
setup a bit... :-)

We have made an enhancement to roles that I would like to see in Zope3,
namely the possibility to block out roles lower down in the folder
hierarchy. For example, if you have an global website, and then several
local sites below it, you may not want the people that can edit the global
site to be able to edit the local sites.

See http://www.zope.org/Members/regebro/LRBlacklist for this.