[Zope3-Users] Security Roles and custom authenticators and scarcely-persistent apps (HELP!)

Jeff Shell eucci.group at gmail.com
Thu Apr 27 02:20:07 EDT 2006 

On 4/26/06, Bernd Dorn <zope-mailinglist at mopa.at> wrote:
>
> On 27.04.2006, at 02:44, Jeff Shell wrote:
>
> > So I spent the day writing an IAuthenticator utility that loads
> > principals out of an RDBMS (via a SQLAlchemy mapper based model). I
> > got that working. All I want right now is to have my site,
> > 'presenters', have view access restricted to the role
> > 'app.Presenters'.
> >
> > The site is persistent and the authenticator is a local utility. I set
> > up the site on load to disallow the 'zope.View' and
> > 'zope.app.dublincore.view' (not really needed, I guess, since I'm not
> > using dublin core anywhere) for the 'zope.Anonymous' role, and allow
> > it for 'app.Presenters' and 'zope.Manager'. It's just a simple /
> > blanket security policy, I know. But something similar has been in
> > place on the Zope 2 based version of this app for a number of years
> > now and has worked fine for this use case.
> >
> > But.. I have no idea how to do this in Zope 3 land. It took me all day
> > to write my authenticator, At the end of the day I saw it working in
> > so far as it obviously retrieved a user record out of the database,
> > validated the password, and returned a dirt simple principal object. I
> > could tell this by the login form giving me a different message this
> > time ("you're not allowed to do that operation"). I tried looking at
> > the Principal-Role map and... I don't understand it.
>
> just plug your own implementation in
>
>   <adapter factory=".your.security.RoleMapImplementation"
>
> provides="zope.app.securitypolicy.interfaces.IPrincipalRoleMap"
>            for=".interfaces.IYourSiteOrSo"
>            trusted="true"
>            />
>
> just for granting local roles on the site it's inough to implement
>
>
> > def getRolesForPrincipal(principal_id):
> >         """Get the roles granted to a principal.
> >
> >         Return the list of (role id, setting) assigned or removed from
> >         this principal.
> >
> >         If no roles have been assigned to
> >         this principal, then the empty list is returned.
> >         """
>
> but you have to set your authenticator somewhere, so that you can see
> if the principal is from your authenticator by comparing ids

Thanks for the response. After some snooping around tonight, I was
suspecting that'd be the option to use. But then I decided to try
using IGroupedPrincipal instead. So now when my site configurator sets
up this particular site/app, it:

- Denies permission 'zope.View' to role 'zope.Anybody'
- Grants permission 'zope.View' to principal 'presenter.group'

My authenticator recognizes that and returns an IGroup. All of the
presenters returned have a groups attribute with the value
['presenter.group']. Seems to work so far, and I'm breathing a sigh of
relief tonight. Sure beats hoping I don't mess up an IPrincipalRoleMap
when I've got so much other work to do and am so far behind as it is.
Wheee, life!

--
Jeff Shell

More information about the Zope3-users mailing list