On March 5, Paul Winkler wrote:
* more coupling
Yes.
* performance hit
Yes.
* one more detail to pay attention to
Yes.
OTOH, doing the magic in user.allowed() would mean I'd only need one "special" UserFolder instance at the top of the hierarchy, and then everything else Just Works regardless of what folderish thing it is and all my LDAP-related code would be in this UserFolder class.
am i overlooking something?
No, I think you've distilled the issue quite concisely. (/me revisits LDAPUserFolder) Looks like the work is already done for you anyway: allowed() and friends check if the context has an attribute acl_satellite, and queries it for any additional roles, and it even keeps a cache. You could probably just customise the Folder to automagically place a satellite object in it. Or otherwise borrow the logic to do what you need. Huzzah open-source software! a. -- Adrian van den Dries adriand@flow.com.au Development team www.dev.flow.com.au FLOW Communications Pty. Ltd. www.flow.com.au