[Zope3-dev] Principal Comparison and/or References

Gary Poster gary at zope.com
Fri Jan 13 07:35:04 EST 2006


On Jan 13, 2006, at 12:18 AM, Jeff Shell wrote:

...
> With all of the other principal / group mini-proposals going on, does
> there need to be a way to strongly (if that's the right word) compare
> a principal looked up from an id that came out of... well, somewhere
> (a transaction log record, a string stored in the 'creators' dublin
> core sequence, etc), or even against each other?
>
>>>> b3_1 = zapi.principals().getPrincipal('brcms.user.3')
>>>> b3_2 = zapi.principals().getPrincipal('brcms.user.3')
>>>> b3_1 is b3_2
> False
>>>> b3_1 == b3_2
> False
>
> Comparing the id attribute works. Is it reasonable to assume that
> zapi.principals().getPrincipal(request.principal.id) should return the
> same principal as request.principal? And thus if
> somerecord['creator_id'] == request.principal.id, that's considered a
> good match?

Yes.  We compare on principal id.

I believe it would be relatively easy to set up your system in such a  
way that this would not be safe.  For instance, you could have two  
sites, both with authentication utilities.  If each authentication  
utility had the same prefix and had a user with the same key in the  
auth utility, then you would have two different users with identical  
ids in the system.

Don't do that. :-)

It might be reasonable to add a bit to the IPrincipal interface that  
__eq__ is provided and uses id to compare.  That seems reasonable to  
me, but maybe others have qualms.  Care to write a mini-proposal? ;-)

Gary


More information about the Zope3-dev mailing list