[Grok-dev] grok and complicated permissions
Lennart Regebro
regebro at gmail.com
Mon Oct 1 05:47:51 EDT 2007
Late answer:
On 9/26/07, Brandon Craig Rhodes <brandon at rhodesmill.org> wrote:
> 1) I need more interesting rules. For example, if "Change password"
> is a permission required to use my "ChangePasswordView", then in
> my case it will depend on the combination of who is attempting the
> change and whose account they are acting on. The rule will be
> something like: "If you are a campus-wide admin, you can change
> the password of any account; but if you are department-hired
> admin, then you can only change the passwords of users who work
> for your department."
>
> If I were to attempt this with the default permissions scheme, I
> would have to create tens of thousands of permissions - one for
> every account ("Change password of br32", "Change password of
> ms94", and so forth) and then constantly grant and revoke them as
> admins moved between departments.
I don't know much about Zope3 security, but what normally is done is
that you grant roles for users on objets, and these roles map to a set
of permissions.
Hence, you should have the role "Manage user" that has the permissions
"Change password" and give the role "Manage user" to the Manager for
each user it should manage.
--
Lennart Regebro: Zope and Plone consulting.
http://www.colliberty.com/
+33 661 58 14 64
More information about the Grok-dev
mailing list