[Zope3-dev] RFC: Aggregate Permissions and Principal Groups
Nicolas Évrard
nicoe at no-log.org
Thu Jul 29 18:40:26 EDT 2004
* Florent Guillaume [17:44 29/07/04 CEST]:
>In article <41002A9B.80906 at zope.com> you write:
>> http://dev.zope.org/Zope3/AggregatePermissionsAndPrincipalGroups
>>
>> to replace roles with aggregated permissions and add principal groups
>> after Zope X3.0.
>
>Also, is there somewhere a list of use cases for the grant/deny stuff ?
>I'd like to be sure that all the ones we have are modeled in a natural
>manner. Also it would be nice if it was pluggable as I'm sure there will
>be needs to extend the model at some point. For instance is there a way
>to say
Let's repeat the proposed algo used to determine access on ressource:
When the security policy checks whether a principal has a permission on
an object it will check to see if there is an "allow" grant for the
permission:
* There is an allow grant for a permission if:
o there is a direct allow grant or (1.1)
o there is not a direct deny grant and there is an
indirect allow grant (1.2)
* There is a direct allow grant if there is an allow grant on the
object, including acquired grants. (Obviously, inner grants
override outer grants, object-location-wise.) (2)
* There is a direct deny grant if there is an deny grant on the
object, including acquired grants. (3)
* There is an indirect allow grant for a permission if there is an
allow grant on any of the permission's parents. (4)
And now that's how I interpret it, correct me if I'm wrong:
> grant View here to group_secretary but not bob (even if he's in the group)
permissions: view and parent_view (containing view)
direct allow grant on group_secretary for parent_view
direct deny grant on bob for view
since the allow grant for view is indirect on bob, the deny grant take
precedence.
> deny View here to group_secretary but still allow bob
no need for another permission.
direct allow grant on bob for view
direct deny grant for group_secretary on view
--
(°> Nicolas Évrard
/ ) Liège - Belgique
^^ Listening to: Fish
An Pierlé
More information about the Zope3-dev
mailing list