[Zope3-dev] Re: Certification: Supporting"Residual
InformationProtection" in Zope 3
Tres Seaver
tseaver at palladion.com
Fri Dec 16 09:42:36 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martijn Faassen wrote:
> Roger Ineichen wrote:
>
> [Martijn goes into why this might be slow]
>
>> Yes you are right. Do you have another idea?
>
>
> A fairly drastic one, unfortunately -- catalog all role and permission
> assignments and run a query as soon a user is removed.
CMF does this for local roles, and Jim is already on record as disliking
it.
I am pleased with the *result*, which also allows the catalog to filter
"normal" content results efficiently based on the user's roles (the
original eason for the index). OTOH, the *implementation* is grotty.
> Hm, perhaps another idea would involve the timestamp of creation in the
> userid somewhere, to make the ids unique. Unfortunately I don't see how
> that would work with external authentication systems such as LDAP, as we
> don't know when userids are created and removed there.
The actual ID used by LDAP is a DSN. Perhaps the authorization system
could map the DSNs to internally-generated integer ID, which would be
the only value actually stored in grant records.
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDotJc+gerLs4ltQ4RAscQAJ9pNpD2Dce+3vxbOKOu3jeyi4OcZgCg08Ss
uLAalHjZ6RTaj32kmTnJLrw=
=J37w
-----END PGP SIGNATURE-----
More information about the Zope3-dev
mailing list