[Zope3-dev] Re: a note on groups and roles

Phillip J. Eby pje@telecommunity.com
Thu, 28 Mar 2002 21:08:53 -0500 

At 08:08 AM 3/28/02 +0000, Steve Alexander wrote:

>>I'm assuming, however, that when you say "protected by a single 
>>permission" that there is "only one permission which allows access", as 
>>opposed to "only one permission required".  :)
>
>I'm not sure what your distinction is here.
>
>I'm certainly not saying "each permission allows access to only one method".

Consider a method M, and permissions P1 and P2.  Does "protected by a 
single permission" mean I cannot grant access to M to anyone who has 
permission P1 *or* P2?   Or does it merely mean I cannot require someone 
have P1 *and* P2 in order to access M?

If I can grant access to M upon possession of P1 *or* P2, this is fine and 
does not lead to an excess of fine grained permissions.  However, if I must 
tie M to only one of the two permissions, and a principal thus MUST have 
that permission to access M, this leads in the degenerate case to having 
one permission for each method.

In fact, for the applications I deal with, it would *force* me to create 
permissions for each method, in order to ensure maintainability when 
business rules change!  That is, if I were to group methods together under 
the same permission to reduce the number of permissions, I would then have 
to ungroup them when rules change, and change how the translation gets done 
from application-level roles to Zope's permissions.  I would be better off 
implementing my own role-to-permissions mapping system using a single 
permission for each method...  which seems quite silly.

So you see, once again the mere existence of "sets of permissions" does not 
give equivalent functionality to roles.

I find it curious to be in the position, not of arguing for a new feature 
in Zope, but rather of arguing to prevent the removal of a perfectly good 
feature which works *very* well for me as it is, is a good conceptual fit 
for what I need in my applications, was easy to understand and I find easy 
to explain to other developers.  Quite a novel situtation for me.  :)