[Zope3-dev] Re: role (contextual) services?l

[Stephan Richter]

On Sunday 04 April 2004 05:06, Philipp von Weitershausen wrote:
> > Do we get groups in Zope3?
>
> Out of the box, no. But I'm sure someone will someday provide a security
> policy + principal source that does give us groups. Maybe in addition to
> roles, maybe instead or maybe both. Any takers? *wink*

I would like to have a standard implementation of groups in Zope 3. If you 
allow them to be a general graph, like Tres said, it will satisfy 95% of the 
users.

Note however, that a new security policy might not be necessary. Groups are 
really just principals. So it might be enough to deal with them in an 
authentication service level. Mmmh, maybe not. I guess the security policy 
would need to know about groups as well. 

Shane once suggested that there is a common pattern here. 

Groups contain Users contain Roles contain Permissions

for some definition of "contain". Of course a Group can be assigned roles and 
permissions directly too. But I wonder whether we could abstract the security 
policy in a way that we could insert a new segment in this path at any time. 
If all the information lies in one registry, then this could be really fast 
as well. 

From the TODOLATER.txt list:

- Support for groups in the security model. No one has been
  interested in working on this and, at this point, there are
  too many other things to do. We *are* committed to adding this
  eventually.

- Support for permission categories in the security model. No
  one has been interested in working on this and, at this point,
  there are too many other things to do. We *are* committed to
  adding this eventually assuming that it becomes necessary due
  to a large number of permissions.

So these suggest that there will be at least two more new security 
artifacts...

Regards,
Stephan
-- 
Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training