[Zope3-dev] RFC: Aggregate Permissions and Principal Groups
Florent Guillaume
fg at nuxeo.com
Thu Jul 29 11:25:59 EDT 2004
In article <41002A9B.80906 at zope.com> you write:
> http://dev.zope.org/Zope3/AggregatePermissionsAndPrincipalGroups
>
> to replace roles with aggregated permissions and add principal groups
> after Zope X3.0.
I like the proposal very much. Having had to do hacks in Zope 2 to get
direct user/group->permission mapping in CPS's repository, I'd love a
simpler model.
I'd like to expand a bit on the API for principal groups however. You
say that IPrincipal needs a 'groups' method. However there is IMO a
distinct need for two kinds of queries about groups:
1. What are the groups to which this principal has been assigned.
2. What are all the groups that this principal effectively belongs.
The first one represents the group assignments that have been made by
the administrator for this principal. This is what is seen when the
principal is modified. In CPS we call it 'getGroups()'.
The second one is needed by the security machinery. In CPS we use
'getComputedGroups()' for this. It returns special groups (the
equivalent of zope.Authenticated and zope.Everybody), and also the
transitive closure of all the groups the principal belongs to. (It could
also compute dynamic groups if needed in the future.)
Florent
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87 http://nuxeo.com mailto:fg at nuxeo.com
More information about the Zope3-dev
mailing list