Jürgen Herrmann wrote:
[ Dieter Maurer wrote:]
Jürgen Herrmann wrote at 2005-10-19 15:34 +0200:
i use the SimpleUserFolder product and derive a MyUser class from it's included User class, which in turn inherits from BasicUser.
the SimpleUserFolder's User class does neither reimplement getRolesInContext() nor allowed(). i looked at the source of BasicUser (lib/python/AccessControl/User.py) and found out that allowed() does not use the information provided by getRolesInContext(). i found this comment: # Still have not found a match, so check local roles. We do # this manually rather than call getRolesInContext so that # we can incur only the overhead required to find a match.
so if i reimplement getRolesInContext() in MyUser, i'll probably also have to reimplement allowed() to reflect the possibly added local roles, right?
Yes.
... ps: looking at the code of allowed() i doubt that the "manual" checking of local roles will speed this method up a lot: local roles seem to be a seldomly used feature, the improvement in speed would only occur if the object in question was protected by a local role
Be careful about terminology! Objects are not protected by roles (but by permissions).
k, i'll take care in the future :)
You gain something if a near local role grants the necessary permission. The "Owner" local role tends to be very near.
Thus, you may gain, when usually owners try to execute protected methods.
sounds reasonable.
(and not a normal one). is this enough to justify duplicated code with all of it's disadvantages)?
Nobody prevents you to implement your "allowed" by means of "getRolesInContext".
-- Dieter
ok, it just felt a little wrong to reimplement allowed... but if thats the way, fine by me!
to dig a little deeper into zope's security machinery, does anybody know where to look at (in the source) f.ex. to find the place where the owner role is assigned to a user?
That's done by OFS.ObjectManager._setObject. Florent -- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D +33 1 40 33 71 59 http://nuxeo.com fg@nuxeo.com