On Tue, 19 Oct 1999, Michel Pelletier wrote:
From: Stuart 'Zen' Bishop [mailto:zen@cs.rmit.edu.au]
I suddenly find myself with a need to populate a list box with all users with a given permission on a particular object. Is there any nifty method hidden away to do this? Or would I be reduced to crawling up the tree looking for userfolders and iterating over the contents (could be a bit sluggish with 3000+ users...)
Uhhhh.... I suspect this can't be done, especially since user's permissions can change from object to object..that's not even the hard part. I could be completly wrong, I'm not the security guru around here.
Perhaps I'll just require tying the username and verifying on form submission :-)
It gets worse, and I'd really like to hear peoples ideas on doing this, or alternative designs. The situation: I'm writting a work flow system (well... problem tracking system except I don't want it to be technician specfic). I need to find all people with the 'Change Job' permission for the following reasons: - Populate a selection control to assign someone to a job - When a new job is submitted, email everyone with the 'Change Job' permission I need a method that will retrieve a list of all users with a given permission on a given object. I think I can do it with the following code, but I think it will be painfully slow with over 3000 users unless I cache the results: <dtml-in "object.get_valid_userids()"> <dtml-if "_['sequence-item'].has_permission('Change Job',object)"> Append sequence-item to a list </dtml-if> </dtml-in> Even if I cache the results, someone will get a very slow response if that cache has expired when they make their request (precaching anyone? Or spawning a background task to fill out the new values in a seperate transaction whilst reusing the old values?) All the alternatives I've come up to not need this information are painful: - Shadow the list of users with the required permissions in the area. This is just plain unmaintainable if it has to be done manually (after creating a user, go through the queues and areas adding them to the right lists). It might be possible to shadow the list automatically by crawling up the tree occasionally and calling has_permission for each user object I find (assuming I can retrieve a user lists from all the user folders above me). - Provide a DTML hook for the Zope administrator to rewrite - it would return a list of relevant users. This makes installation and maintenance non-trivial (instead of just point-and-drool granting of a permission to a role, DTML code would have to be written and tested). ___ // Zen (alias Stuart Bishop) Work: zen@cs.rmit.edu.au // E N Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au //__ Computer Science, RMIT WWW: http://www.cs.rmit.edu.au/~zen