[Zope3-Users] Security Roles and custom authenticators and scarcely-persistent apps (HELP!)

Jeff Shell eucci.group at gmail.com
Wed Apr 26 20:44:58 EDT 2006


So I spent the day writing an IAuthenticator utility that loads
principals out of an RDBMS (via a SQLAlchemy mapper based model). I
got that working. All I want right now is to have my site,
'presenters', have view access restricted to the role
'app.Presenters'.

The site is persistent and the authenticator is a local utility. I set
up the site on load to disallow the 'zope.View' and
'zope.app.dublincore.view' (not really needed, I guess, since I'm not
using dublin core anywhere) for the 'zope.Anonymous' role, and allow
it for 'app.Presenters' and 'zope.Manager'. It's just a simple /
blanket security policy, I know. But something similar has been in
place on the Zope 2 based version of this app for a number of years
now and has worked fine for this use case.

But.. I have no idea how to do this in Zope 3 land. It took me all day
to write my authenticator, At the end of the day I saw it working in
so far as it obviously retrieved a user record out of the database,
validated the password, and returned a dirt simple principal object. I
could tell this by the login form giving me a different message this
time ("you're not allowed to do that operation"). I tried looking at
the Principal-Role map and... I don't understand it. It's very
annotations oriented (the default implementation storing data in some
internal table-like structure). I, obviously, don't have annotations
going on right now. The hard thing is that I can't even figure out at
first glance what the different security manager adapters
(PrincipalRole, RolePermission, etc) are meant to adapt - a principal?
an object? a site? I'm not sure how much of the interface I have to
provide, what I should have it adapt (my Site object, I'm guessing?),
and so on.

All I want to say is "every user returned from this authenticator has
the view access for this site".

I'm not sure which of these I have to fill in. I'm not wanting to
assign every principal coming out of the RDBMS a role mapped in the
ZODB - so do I have to straddle both ZODB and RDBMS worlds here?
"Mappings between principals and roles" - where? A local object?
Globally? Do the answers have to include all answers from higher up
the tree if there's anything? Global settings? Am I looking at the
wrong thing?

class IPrincipalRoleMap(Interface):
    """Mappings between principals and roles."""

    def getPrincipalsForRole(role_id):
        """Get the principals that have been granted a role.

        Return the list of (principal id, setting) who have been assigned or
        removed from a role.

        If no principals have been assigned this role,
        then the empty list is returned.
        """

    def getRolesForPrincipal(principal_id):
        """Get the roles granted to a principal.

        Return the list of (role id, setting) assigned or removed from
        this principal.

        If no roles have been assigned to
        this principal, then the empty list is returned.
        """

    def getSetting(role_id, principal_id):
        """Return the setting for this principal, role combination
        """

    def getPrincipalsAndRoles():
        """Get all settings.

        Return all the principal/role combinations along with the
        setting for each combination as a sequence of tuples with the
        role id, principal id, and setting, in that order.
        """


--
Jeff Shell


More information about the Zope3-users mailing list