[Zope3-dev] Permissions and workflow

[Shane Hathaway]

Lennart Regebro wrote:

> I guess the functionality to have different permission in different workflow
> states will be used mainly for two things:
> 1. Protecting the workflow transitions, so that only people with the correct
> rights can move the object from state A to State B.
> 2. Protecting the visibility of non-published objects.
> 
> Number one is internal to the workflow system, and therefore poses no
> challenge, but number two protects a method native to the object and is
> therefore slightly more complex.


Right.  I would generalize requirement #2 to "Protecting 
non-workflow-aware methods based on workflow status."

> If there is a method in your object wheer you want people to have different
> permissions depending on what the workflow-state is, then you can't use the
> config file to set permissions because they are static. Instead you have to
> make a check inside the method, right?
> 
> Now, how can this check be done easily without the object in itself having
> knowledge about the workflow configuration? It seems to me that the only
> alternative is that the workflow service has a security check of it's own,
> so that you can set up a role to permissions mapping there that is sensitive
> to the workflow state.


I think what Jim has in mind is that you'll be able to register a local 
roles adapter for arbitrary objects.  For workflowed objects, you'll 
register an adapter that is aware of workflow state, and map different 
people to different roles depending on the state.  I think it could work 
  very well, assuming I have accurately guessed Jim's intentions. :-)

Shane