(Zope2) a proposed tweak to assigning default roles to permissions
Background: In Zope 2 prior to Zope 2.12, registering a new permission involved the following (usually behind-the-scenes) steps: 1. adding the permission name to the AccessControl.Permission._registeredPermissions dictionary 2. adding a tuple to the Products.__ac_permissions__ list including the permission name and default roles 3. setting a attribute (with name equal to a mangled version of the permission name) of AccessControl.Permission.ApplicationDefaultPermissions to the default roles 4. registering the permission as a Zope 3 permission using the <permission> ZCML directive In practice in CMF-based applications, the first 3 items of this list were often accomplished by a call (usually during product initialization) to Products.CMFCore.permissions.setDefaultRoles. So for a developer adding a new permission, there were generally 2 tasks required (calling setDefaultRoles and calling the <permission> directive). In Zope 2.12, the situation improved. There is now an event handler which automatically performs steps #1-3 when a permission is registered using the <permission> directive, setting the default role to Manager. Unfortunately, this makes things tricky if one wants to register a permission with a different set of default roles. That's because setDefaultRoles (and its new incarnation as AccessControl.Permission.addPermission in Zope 2.13) abort if you try to register a permission that is already registered, so it needs to be called prior to the execution of ZCML actions -- so import time is the only option. Proposal: As an alternative to requiring calling setDefaultRoles/addPermission at import time, I suggest that we add an optional roles attribute to the <permission> directive. This would then be used when the directive is executed, instead of the current hard-coded Manager setting. Examples: <!-- a new permission with 2 default roles --> <permission id="my.NewPermission" title="My new permission" roles="Manager SiteAdmin"/> <!-- a new permission with Manager as the sole, implicit role (backwards-compatible) --> <permission id="my.OtherPermission" title="My other permission"/> Thoughts? One downside is that we would need to override the permission directive instead of using the implementation in zope.security. On the other hand, it's not a complicated directive. thanks for your consideration, ---------- David Glick Web Developer davidglick@groundwire.org 206.286.1235x32 Groundwire: You Are Connected http://groundwire.org
Proposal:
As an alternative to requiring calling setDefaultRoles/addPermission at import time, I suggest that we add an optional roles attribute to the <permission> directive. This would then be used when the directive is executed, instead of the current hard-coded Manager setting. Examples:
This is a proposal to implement this for Zope 2.13, btw. ---------- David Glick Web Developer davidglick@groundwire.org 206.286.1235x32 Groundwire: You Are Connected http://groundwire.org
Hi. On Thu, Aug 19, 2010 at 6:15 AM, David Glick <davidglick@groundwire.org> wrote:
As an alternative to requiring calling setDefaultRoles/addPermission at import time, I suggest that we add an optional roles attribute to the <permission> directive. This would then be used when the directive is executed, instead of the current hard-coded Manager setting. Examples:
<!-- a new permission with 2 default roles --> <permission id="my.NewPermission" title="My new permission" roles="Manager SiteAdmin"/> <!-- a new permission with Manager as the sole, implicit role (backwards-compatible) --> <permission id="my.OtherPermission" title="My other permission"/>
Can roles currently contain whitespace? Like "Awesome People"? If so, we should go for nested nodes: <permission id="my.NewPermission" title="My new permission"> <role>Manager</role> <role>SiteAdmin</role> <role>Awesome People</role> </permission> I think this matches the style of some of the GenericSetup handlers which deal with permissions. I'd not be concerned about overriding the security directive here. AccessControl's security concept is very different from the one in zope.security. I don't expect Zope2 to ever be fully compatible with the current zope.security notion. It's more likely that they will converge to a third implementation at some point in the future. Hanno
Hi, On 19 August 2010 16:46, Hanno Schlichting <hanno@hannosch.eu> wrote:
Hi.
On Thu, Aug 19, 2010 at 6:15 AM, David Glick <davidglick@groundwire.org> wrote:
As an alternative to requiring calling setDefaultRoles/addPermission at import time, I suggest that we add an optional roles attribute to the <permission> directive. This would then be used when the directive is executed, instead of the current hard-coded Manager setting. Examples:
<!-- a new permission with 2 default roles --> <permission id="my.NewPermission" title="My new permission" roles="Manager SiteAdmin"/> <!-- a new permission with Manager as the sole, implicit role (backwards-compatible) --> <permission id="my.OtherPermission" title="My other permission"/>
Can roles currently contain whitespace? Like "Awesome People"?
Yes, they can.
If so, we should go for nested nodes:
<permission id="my.NewPermission" title="My new permission"> <role>Manager</role> <role>SiteAdmin</role> <role>Awesome People</role> </permission>
I think this matches the style of some of the GenericSetup handlers which deal with permissions.
+1 Martin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/19/10 09:46 , Hanno Schlichting wrote:
Can roles currently contain whitespace? Like "Awesome People"?
If so, we should go for nested nodes:
<permission id="my.NewPermission" title="My new permission"> <role>Manager</role> <role>SiteAdmin</role> <role>Awesome People</role> </permission>
I think this matches the style of some of the GenericSetup handlers which deal with permissions.
+1 jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkxs8PoACgkQRAx5nvEhZLIG8ACePKMag3XuAGaf/JLhm8JOeu/I uzQAn3oE3Ft/Ayp+zi3Wl5kQ2I0p78Q4 =qJx6 -----END PGP SIGNATURE-----
On 8/19/10 12:46 AM, Hanno Schlichting wrote:
Hi.
On Thu, Aug 19, 2010 at 6:15 AM, David Glick <davidglick@groundwire.org> wrote:
As an alternative to requiring calling setDefaultRoles/addPermission at import time, I suggest that we add an optional roles attribute to the <permission> directive. This would then be used when the directive is executed, instead of the current hard-coded Manager setting. Examples:
<!-- a new permission with 2 default roles --> <permission id="my.NewPermission" title="My new permission" roles="Manager SiteAdmin"/> <!-- a new permission with Manager as the sole, implicit role (backwards-compatible) --> <permission id="my.OtherPermission" title="My other permission"/>
Can roles currently contain whitespace? Like "Awesome People"?
If so, we should go for nested nodes:
<permission id="my.NewPermission" title="My new permission"> <role>Manager</role> <role>SiteAdmin</role> <role>Awesome People</role> </permission>
I think this matches the style of some of the GenericSetup handlers which deal with permissions.
Implemented at svn+ssh://svn.zope.org/repos/main/AccessControl/branches/davisagli-permission-directive -- can someone please review? Also, where should I document this addition? thanks, ---------- David Glick Web Developer davidglick@groundwire.org 206.286.1235x32 Groundwire: You Are Connected http://groundwire.org
participants (4)
-
David Glick -
Hanno Schlichting -
Jens Vagelpohl -
Martin Aspeli