[Zope3-dev] Re: full closure of group membership
Gary Poster
gary at zope.com
Thu Jan 12 20:35:54 EST 2006
On Jan 12, 2006, at 7:16 PM, Florent Guillaume wrote:
> Gary Poster wrote:
>> Primary problem:
>> We frequently want to know the full closure of group membership.
...
> +1, a long time ago I suggested something similar because in the
> CPS framework of groups we need knowledge both of direct membership
> and transitive closure (we have a getGroups method that's the
> direct groups, and a getComputedGroups that's the transitive
> closure and is used for instance when we have groups of groups).
>
> I'm still not using the zope 3 principal framework but at some
> point I know I'll need it in zope 3 too :)
:-) cool.
> Do you think your interfaces fit the need of "computed" groups? I'm
> not sure if the meaning of "computed" is clear but I can expand on
> that if it's not (for instance, it could be for the case where
> groups exist dynamically according to some computation on the
> prinicpal's properties).
I know what you mean--we've done that in Zope 2 also.
I think my change fits the need of computed groups fine: computed
groups would be a part of the direct iterable of `groups` for a
principal, from which the full closure (`allGroups`) would continue
to be calculated.
The current IPrincipal interface has a bit of a problem for computed
groups but is pretty close, I'd say. Right now, the core principal
interface in zope.security says that `groups` is a list. A list that
has an unremovable member--a calculated group--is a bit hacky to
model, so you might want to have a different API for mutating the
groups--or maybe it's *all* calculated and imutable. If this core
interface were restricted to say that `groups` is a readonly iterable
(which would be sufficient for the security policies I know, AFAIK),
and then another interface extended it to match the current interface
(a list), then the core interface would allow other principal
implementations to determine the `groups` value in other ways.
That change sounds good to me, but also sounds like a separate mini-
proposal. :-)
Gary
More information about the Zope3-dev
mailing list