[Zope3-dev] questions concerning the security framework

[Sven Schomaker]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello dear list people,

I appologize for posting this message to the
dev-list but up to now I did not really get a
reply on the users-list that could answer my
questions.

I'm currently about to evaluate z3 to be able
to suit the needs I face in a wider project
that is about to be started out by me.

So far z3 seems quite promising but there are
still some questions to be solved before being
able to assure (almost) risk-free use of z3 and
I hope you are able to answer some of my questions
(or at least give me a hint about where to look
about for answers).

To get somewhat familiar with the new z3
framework I read the z3 book and started out
to code the message board in an slightly extended
fashion. Now that I'm on the job to implement
some fancy security system on the message board
I'm admittedly stuck a bit and wonder how to do it.


So here is what I intend to do:
- -----------------------------------------

A message board can contain announcements
and topics. Topics are actually nothing more
than renamed messages and can contain replies.

Moderators/Managers are supposed to be able
to post announcements. Valid users of the
message board should be able to post topics,
messages and replies (at this point it doesn't
seem to matter how they become valid users).

If a message/topic gets posted, it is submitted
to the moderator and gets rejected or approved,
i.e. messages are subject to a specific workflow.

And here are my questions:
- --------------------------------------

Since the message board is a container and the
framework uses __setitem__ to add new objects
to the container, how would one distinguish the
permissions to add an announcement from the
permission to add a topic with zcml or with
explicit python coding.

Another question is about bringing the workflow
into the security system. As I was able to determine
there is the possibility to configure permissions
on causing state transitions using zcml. Thats fine
so far, but how would one restrict e.g. the ability
to modify messages once they have been submitted,
i.e. bind the permissions on content-objects to a
specific workflow state?

The next question is whether there is something
like a build in role for the owner of an object or
if there is the notion of ownership at all? For me
this seems to be necessary if one would only grant
permissions to modify an object if he/she is the owner
of that particular object as it has been done in z2.

And last but not least is there the concept of local
roles like it has been in z2?


So far so good, many questions, quite a lot of text
and a good hope that somebody can give me a hint.

Great thanks in advance and a happy new year
to all of you

Sven Schomaker


- --
__________________Addressed by:_________________

Dipl.-Inf. (FH) Sven Holger Cochise Schomaker

Linie M - Metall Form Farbe - GmbH
Industriestraße 8
63674 Altenstadt (Hessen)
Germany

Tel.: +49 6047 97 121
~ +49 179 14 79 309

Mail: sven.schomaker at linie-m.de
~ sven.schomaker at gmx.de

Public Key: hkp://blackhole.pca.dfn.de
~ hkp://pgp.mit.edu

Key ID: D581185EFF60FEA0

Key fingerprint: 28FB 599C 4591 D200 BC69
~ EB88 D581 185E FF60 FEA0

_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQIVAwUBQdpfIeOT94SY/nWQAQKCURAAm5WMtt2uZb5EnJDGIvOc9F+KiI8YzHw6
Rs4mreoS8TGGpKQQKLQYcpYuOeENd7rY6MhWxIm4vbZJwMgABo3ozeekqIUNzZQb
guIkP7KR80S2XwvRZ+Vgnp031L0CULL9yySZGcOTOQDb5aDmxbq1lX+XpXSlBnzH
5ZoFxhUKK8CPS3QxjYYrQtzbFyzmZ/n0sTZCx3oVtS9eWXhVEknDb7c6SWY+AbZn
53YUjPKETSzBcFVuj7hSGQBBWi0Qim1Q6ASxU0UMTW2H8O6Vw9XTC9pi2uyhpDVP
w6WM8ZOw15BbMoO+hXSFRGnieBIwfVF24nG1PHC1uF49I8HUbSzXQO1gVIQia1bE
vWAOTa2MVMvlcsy0C/dboITfCTEfE8PahCwvVu9CrSV0vPPVdHzaX3VSs8dfO904
svBGqWFi9S6QJvSTsoMFtIa59V3rPEdQ+9U/mU31MVMp/eQNRlL5GV9y37KurqYW
1cdrgQClyTcgUSEgtmPyVJg7pQ7cDorTCkqf6RemXh0Gp+kHEeXO6NLA0evJuSRj
+32HwkO2xfpX0HkUXAbbDb87sdjjO2eqqTgSF1ZLdedAYc0YLmp4EN0S9PKvhIEm
iHUGqWn/bq6tyYp+2MTp3ulETxNNM9FsoDzK6braHIN8dvGHyeVhmWeQYWfAJ/fl
MCYF0CPgoLw=
=Oxoz
-----END PGP SIGNATURE-----