[Zope3-dev] Re: Mini-proposal: member-aware group interface

Florent Guillaume fg at nuxeo.com
Thu Jan 12 19:22:21 EST 2006 

Gary Poster wrote:
> Problem:
> We need to be able to iterate over the members of a group, given a  
> group id.  With the interfaces in zope.security, the only way to do  
> this is to iterate over all principals known to the system, check  their 
> `groups` attribute, and if the group id is in the list then  include 
> it.  This is obviously problematic.
> 
> If we constrain ourselves to the pluggable authentication utility in  
> zope.app.authentication, we have some help, but it is pretty  
> inconvenient and conceivably problematic.  The following (untested  
> sketch of a) approach is a good try for the common case, but won't  
> handle nested authentication utilities, and relies on an interface  not 
> in an interfaces.py:
> 
> from zope import component
> from zope.app.authentication import interfaces
> import zope.app.authentication.groupfolder
> 
> group_id = 'foo'
> 
> auth = component.getUtility(interfaces.IPluggableAuthentication)
> for name in auth.authenticatorPlugins:
>     plugin = component.queryUtility(
>         interfaces.IAuthenticatorPlugin, name, context=auth)
>     if zope.app.authentication.groupfolder.IGroupFolder.providedBy 
> (plugin):
>         try:
>             principals = plugin.getPrincipalsForGroup(group_id)
>         except KeyError:
>             pass
>         else:
>             break
> else:
>     raise RuntimeError('Not Found')
> 
> Or something like that.  As I said, this doesn't even handle some of  
> the more complex cases.  Whew!
> 
> Solution:
> Add a new interface to zope.security.interfaces:
> 
> class IMemberAwareGroup(IGroup):
>     members = interface.Attribute('an iterable of members of the  group')
> 
> Then make the groups that the zope.app.authentication.groupfolder  
> plugin generates implement the new interface.

I think I'm for it, but in some cases even though groups may be able to 
list all their members it may (if they're dynamically computed) turn out 
to be a huge list. I guess in that case you could simply not advertise 
that the group implements the interface.

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com

More information about the Zope3-dev mailing list