[Zope3-dev] Re: Certification: Supporting"Residual InformationProtection" in Zope 3

Tres Seaver tseaver at palladion.com
Fri Dec 16 09:42:36 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martijn Faassen wrote:
> Roger Ineichen wrote:
> 
> [Martijn goes into why this might be slow]
> 
>> Yes you are right. Do you have another idea?
> 
> 
> A fairly drastic one, unfortunately -- catalog all role and permission
> assignments and run a query as soon a user is removed.

CMF does this for local roles, and Jim is already on record as disliking
it.

I am pleased with the *result*, which also allows the catalog to filter
"normal" content results efficiently based on the user's roles (the
original eason for the index).  OTOH, the *implementation* is grotty.

> Hm, perhaps another idea would involve the timestamp of creation in the
> userid somewhere, to make the ids unique. Unfortunately I don't see how
> that would work with external authentication systems such as LDAP, as we
> don't know when userids are created and removed there.

The actual ID used by LDAP is a DSN.  Perhaps the authorization system
could map the DSNs to internally-generated integer ID, which would be
the only value actually stored in grant records.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDotJc+gerLs4ltQ4RAscQAJ9pNpD2Dce+3vxbOKOu3jeyi4OcZgCg08Ss
uLAalHjZ6RTaj32kmTnJLrw=
=J37w
-----END PGP SIGNATURE-----



More information about the Zope3-dev mailing list