[Zope3-dev] Two-part permissions?

[Lennart Regebro]

> Would it be worth breaking this down further?
> Using this scheme, as Zope 2 does, you need a 'View X', a 'View Y', a
> 'View Z' permission, then a 'Delete X', 'Delete Y', 'Delete Z' permission,
> and so on ending up with a _lot_ of permissions.
>
> Would it be possible or beneficial to break these down into 'View' and
> 'Delete' permissions that could be controlled on the basis of the type of
> object they applied to?

Absolutely. But I would like a third part: Product group. This could be
"Zope" for the products that come with Zope core, and "Formulator", for
those permissions, "Easy Publisher" for att the ones we send with out CM
system, and so on. That way you could in the user interface group
permissions on either product group, action or object, and it would be
possible to add buttons to set all or clear all of the visible settings for
a role.

From: "Jeremy Hylton" <jeremy@zope.com>
> This makes a lot of sense.  What if each permission had to belong to
> one of four categories -- read, write, execute, and manage?

My unix security allergy started to itch. :-)

Add, change, delete, view, call maybe? Although I'm not sure it is
neccessary to actually limit the categories.