[Zope3-dev] Initial thoughts on the Zope3 security framework
Jim Fulton
jim@zope.com
Mon, 17 Dec 2001 14:44:05 -0500
Martijn Faassen wrote:
>
> Jim Fulton wrote:
> > Martijn Faassen wrote:
> > >
> > > Ken Manheimer wrote:
> > > [snip]
> > > > I think that, ideally, it's relatively rare to create new roles, while
> > > > role-to-permission mappings are typically adjusted on a per-product basis,
> > > > and role-to-account mappings are adjusted (using local roles) on a
> > > > per-instance basis to assign privileges to particular users within the
> > > > context of the instance.
> > >
> > > While this seems to make sense, it doesn't seem to include the use case
> > > where I want to close a certain section of the site to anonymous.
> >
> > I'm not sure exactly what that means.
>
> I meant that role-to-permission mappings are frequently adjusted on
> a per instance basis, as opposed to on a per-product basis. The per-instance
> basis mapping needs to happen in order to close off sections of a site
> to anonymous. Perhaps there's a better way that uses local roles only,
> but I haven't thought of one yet.. perhaps there's a possibility for a
> 'viewer' core role, and an anonymous *group* which everyone who hasn't
> authenticated is part of -- then you need a way to assign a viewer role to the
> anonymous group in the root of the site, and also the possibility to take
> it away again in those sections of the site you don't want anonymous
> users to view.
We contemplate being able to make "deny" assertions as well as allow.
This will probably be more powerful than enabling or disabling acquisition
of role->permission assignments. In your example, one could, it a particular
area, deny Anonymous the view permission.
Jim
--
Jim Fulton mailto:jim@zope.com Python Powered!
CTO (888) 344-4332 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org