[Zope3-dev] a note on groups and roles

[Joachim Werner]

> > I think that only the part of the user folder implementation
> > that does the mapping has to be placeful.
>
> How would you decide who gets to perfom the mapping in a place?

Anybody who has the permissions to do so would be able to do the mapping.
There's nothing new or special about that ...

> > Yes, but that's exactly the type of tests that don't work properly in
Zope
> > 2. They DO work if I directly access a resource via an URL, because then
> > the AUTHENTICATED_USER is identical with the user that is the nearest
> > authentication source for the object. But if I test it from somewhere
else
> > as is the case with Kontentor's management interface, this doesn't work
> > properly. The AUTHENTICATED_USER is the one that is used for
> > authenticating the first object that is called (e.g. if I have
> > http://server/folder/index_html, it will give me the user object that is
> > in folder), but if I display another object on the page that resides in
> > the parent folder, that one is NOT checked against its own nearest user
> > folder instead, but against the same user object again.

> Ugh.  I'm not sure I want to understand this problem. ;-)  At least in the
> context of Zope 3 (if you can replicate the problem for Zope 2, please
> submit a collector issue).

I really hope that this will not be an issue in Zope 3 ;-)
In Zope 2, how should I claim that to be an issue if, as you say, nobody
really knows what the security is supposed to do?

> That said, in my suggestion for Zope 3, users may not have the same
> username; a user with a particular username can be defined in one and only
> one place.  The system would always authenticate you as the same user
> regardless of the place in the system that you're accessing, presuming
that
> your user is defined at or below the place you're accessing.  This would
> seem to make the sort of problem that you're talking about impossible.

Definitely ...