[Zope3-Users] PAU - how to give a principal a role

Hermann Himmelbauer dusty at qwer.tk
Tue May 15 12:02:52 EDT 2007

I have to write an Authenticator Plugin for my application. My login/pass data 
is stored in a relational database, which I access via zsqlalchemy.

I have several objects, which are secured by certain permissions. Moreover I 
granted permissions to several roles, which I also defined.

My problem is how to give users, which are stored in my database, the correct 
role (and therefore permission). If I understand it right, an Authenticator 
Plugin returns a principal, which represents a user in the database, but how 
can I map the principal to a specific role? 

Are principals mapped one to one from users to principals? Or should I perhaps 
map many users to one principal?

What I further don't understand is if and why authenticator plugins are called 
when credentials are correctly retrieved via e.g. the 
SessionCredentialsPlugin or how I can prevent it:

When the user logs in, there are no credentials and he has to supply them via 
the login form. Then he is authenticated by the AuthenticatorPlugin (e.g. the 
database is queried for user/pass), and the credentials are stored in the 

However, for subsequent requests, I think it makes no sense to query the 
database again, as the user has already authenticated - or am I getting 
something wrong?

Best Regards,

x1 at aon.at
GPG key ID: 299893C7 (on keyservers)
FP: 0124 2584 8809 EF2A DBF9  4902 64B4 D16B 2998 93C7

More information about the Zope3-users mailing list