[Zope3-dev] Groups / 10x

[Martijn Faassen]

Chris Withers wrote:
> "Phillip J. Eby" wrote:
> > 
> > Given that supporting applications based on non-ZODB data sources is also
> > relevant to 10x, I'd have to say that computed roles and groups are *not*,
> > repeat *not* interchangeable.  As Shane and I have both pointed out, groups
> > can't do what computed roles can, but computed roles *can* do what groups can.
> 
> Well, whatever, I merely suggest that it might aid the 10x aim if Zope 3 came
> with "groups" with a nice UI that make people coming from LDAP or Lotus Notes
> backgrounds, for example, comfortable.
> 
> Computed Local Roles on their own _wont_ do this ;-)

Sure, but you just need a way to:

  * map user metadata coming from datasource (LDAP, SQL, ZODB) to 
    group names

  * a new component along the lines of acl_users that can be placed in
    (say) Folders, which can map group names to (lists of) local roles.

Now, whenever a user wants to do X, it needs a role for it. So, you
could have computed local roles installed that:

  * access the first mapping for this particular user, getting the group
    this user belongs to.

  * now access the second component with the group, to check whether this
    group name has the desired role.

And you'd be done. Groups aren't hard to construct on top of computable
local roles, and the security machinery doesn't even need to know about
them. And computable local roles aren't that complicated to add to 
Zope2, except that there's some inefficiency (Zope wants *all* local
roles for a user) and user interface problems.
 
At least that's one way. :)

Regards,

Martijn