[Zope3-dev] Permissions and workflow

[Lennart Regebro]

I have given this some thought, and this is what I'm thinking so far.
Correct me if I'm wrong somewhere:

I guess the functionality to have different permission in different workflow
states will be used mainly for two things:
1. Protecting the workflow transitions, so that only people with the correct
rights can move the object from state A to State B.
2. Protecting the visibility of non-published objects.

Number one is internal to the workflow system, and therefore poses no
challenge, but number two protects a method native to the object and is
therefore slightly more complex.

If there is a method in your object wheer you want people to have different
permissions depending on what the workflow-state is, then you can't use the
config file to set permissions because they are static. Instead you have to
make a check inside the method, right?

Now, how can this check be done easily without the object in itself having
knowledge about the workflow configuration? It seems to me that the only
alternative is that the workflow service has a security check of it's own,
so that you can set up a role to permissions mapping there that is sensitive
to the workflow state.

This also means that only methods that are set to Public and are programmed
to do this dynamic security check will be able to have different rights for
different workflow states. I don't see that as a problem, what about you
others? I guess also you will need to register permissions with the workflow
just as you register it with the standard security system.
Hmm, or maybe there will be a second type of permission registration in the
configuration file that sais that this permission is workflow dependant?