[Zope3-dev] RFC: Aggregate Permissions and Principal Groups
Jim Fulton
jim at zope.com
Fri Jul 30 07:57:32 EDT 2004
Florent Guillaume wrote:
> In article <41002A9B.80906 at zope.com> you write:
>
>> http://dev.zope.org/Zope3/AggregatePermissionsAndPrincipalGroups
>>
>>to replace roles with aggregated permissions and add principal groups
>>after Zope X3.0.
>
>
> I like the proposal very much. Having had to do hacks in Zope 2 to get
> direct user/group->permission mapping in CPS's repository, I'd love a
> simpler model.
>
> I'd like to expand a bit on the API for principal groups however. You
> say that IPrincipal needs a 'groups' method. However there is IMO a
> distinct need for two kinds of queries about groups:
>
> 1. What are the groups to which this principal has been assigned.
>
> 2. What are all the groups that this principal effectively belongs.
>
> The first one represents the group assignments that have been made by
> the administrator for this principal. This is what is seen when the
> principal is modified. In CPS we call it 'getGroups()'.
>
> The second one is needed by the security machinery. In CPS we use
> 'getComputedGroups()' for this. It returns special groups (the
> equivalent of zope.Authenticated and zope.Everybody), and also the
> transitive closure of all the groups the principal belongs to. (It could
> also compute dynamic groups if needed in the future.)
Agreed. I imagine that the principal querying API might need some
work too, assuming that we'd like to be able to distinguish groups
from ordinary principals in UIs. In the proposal, I've only suggested
a rough API. I'd welcome more fleshed out api proposals.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-dev
mailing list