[Zope-PTK] Workflow - security model

Jay, Dylan djay@avaya.com
Mon, 4 Dec 2000 16:48:54 +1100


I've been thinking about how I want to implement a content management site
for project related stuff here at work. The more I think about it the less I
see the worflow model for PTK as useful. As I understand it PTK workflow
works like this. Most content is created in each users home directory.
Anyone can view this however when someone wants to make this public they
make a request. This results in a mail  or similar to someone who approves
it. This results in the content being catalogued and therefore hooked into
search mechanizm.

My problem is this. This only works if content is based in members folders
and is only discoverable via the catalogue. I was thinking a site where each
project had a folder that contained project specific information... wiki's,
pages requirements docs etc. Different people could have permission to edit
different things and some people could have permission to edit but those
changes don't become public until it has been authorized. If you only have
one version of a document that can be edited then the cataloguing trick
isn't going to cut it. Zope already has a versioning system. How about tying
in workflow to the versioning system. Someone only has permission to edit
something in a version. These changes are insulated from other people. When
it comes time they want to make those changes public then they request
authorization. This notifies one or more authorizees who then can review the
changes and accept. Accepting saves the version and therefore makes it
public. You could also do any catalogue updating at this time also. The
great thing about this model is it will work for any kind of content not
just stuff that relies on non-publishing via obscurity. The problem is I
can't see how to set permissions such to allow a user to do certain actions
but only in a particular version. I suspect this is a major changes to
Zope's security model. Anyone got any ideas on how to do this?