[Zope3-dev] Re: a note on groups and roles
Phillip J. Eby
pje@telecommunity.com
Thu, 28 Mar 2002 21:08:53 -0500
At 08:08 AM 3/28/02 +0000, Steve Alexander wrote:
>>I'm assuming, however, that when you say "protected by a single
>>permission" that there is "only one permission which allows access", as
>>opposed to "only one permission required". :)
>
>I'm not sure what your distinction is here.
>
>I'm certainly not saying "each permission allows access to only one method".
Consider a method M, and permissions P1 and P2. Does "protected by a
single permission" mean I cannot grant access to M to anyone who has
permission P1 *or* P2? Or does it merely mean I cannot require someone
have P1 *and* P2 in order to access M?
If I can grant access to M upon possession of P1 *or* P2, this is fine and
does not lead to an excess of fine grained permissions. However, if I must
tie M to only one of the two permissions, and a principal thus MUST have
that permission to access M, this leads in the degenerate case to having
one permission for each method.
In fact, for the applications I deal with, it would *force* me to create
permissions for each method, in order to ensure maintainability when
business rules change! That is, if I were to group methods together under
the same permission to reduce the number of permissions, I would then have
to ungroup them when rules change, and change how the translation gets done
from application-level roles to Zope's permissions. I would be better off
implementing my own role-to-permissions mapping system using a single
permission for each method... which seems quite silly.
So you see, once again the mere existence of "sets of permissions" does not
give equivalent functionality to roles.
I find it curious to be in the position, not of arguing for a new feature
in Zope, but rather of arguing to prevent the removal of a perfectly good
feature which works *very* well for me as it is, is a good conceptual fit
for what I need in my applications, was easy to understand and I find easy
to explain to other developers. Quite a novel situtation for me. :)