On Sun, Feb 23, 2003 at 09:02:24PM +0100, Dieter Maurer wrote:
I think (not sure, though) that Zope has the following time complexity for permission checking:
If a user has "u" roles and a permission is allowed for "a" roles, then Zope checks for each of the "u" roles whether it is in the list of "a" roles.
That's correct, I just found this in lib/python/AccessControl/User.py, in the definition of "allowed": user_roles = self.getRoles() for role in object_roles: if role in user_roles: if self._check_context(object): return 1 return None (_check_context ensures that the object is not acquired from some other context where this user doesn't exist.)
The complexity is "u * a" whith can be too high for large "u" and "a".
Indeed... and object_roles seems likely to be bigger than user_roles (in general, but drastically moreso in my scenario). which means that it's quite likely we'd iterate for quite some time before findign a match.
It is easy to optimize this to "u + a" (via a dictionary), then thousands of roles should not be a problem.
would that mean you have to build a (potentially huge) dictionary every time? I'd greatly appreciate it if you could expand on this suggestion. Thanks! -- Paul Winkler http://www.slinkp.com