Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Martin Aspeli wrote:
I've not done this yet:
3) Change the Permission class in AccessControl so that it tries to look up an IPermission utility and use the title of that utility as the permission name, falling back on the current behaviour of using the passed permission name directly. I'd like to solicit a bit more input before attempting this, as I got at least one -1.
I think this is the bigger win, though, and I'd still like to do it unless performance becomes prohibitive or it turns out to be too invasive a change.
- -1: I think both of those will be true. I also don't see much win.
The major goal should be to unify the API for add-ons, rather than the implementation: your #1 and #2 alaready did that, I think.
I had a deeper look last night, and I think this would be more invasive than I'd feared. I thought originally the Permission class was used everywhere, but on further inspection, I see that manually constructed '_Permission' strings are used in a lot of places, including C code. It frightens me slightly that, having pdb'd my way through AccessControl a number of times, I still have only a fuzzy idea about how the permissions system works, and I haven't found any solid documentation with the code. I think to unify the API, we'd need to: - Promote the zope.security checkPermission method like Hanno suggested - Change rolemap.xml in GenericSetup to accept Zope 2 names - Look at other places where permission names are passed around in code (there are a few places in Plone, for instance) and make sure we always prefer the Zope 3 dotted name. Martin -- Author of `Professional Plone Development`, a book for developers who want to work with Plone. See http://martinaspeli.net/plone-book