[Zope-CMF] A very long permissions list ;-)

[Shane Hathaway]

Chris Withers wrote:
> Well, to get the full dimensions, you probably want:
> 
> content type * content state * action * location * owner
> 
> ...and I'm sure it could be made even worse with more flexibility ;-)

We could advertise this as "n-dimensional security"... ;-)

> > Here is our plan: the configurable workflow will take over the role ->
> > permission -> method mappings.  There are several current views on the
> > specifics, but essentially the workflow will manage security.  Workflows
> > can manage security in more flexible ways, such as allowing access to
> > methods based on object state.
> 
> How will they interact with the security machinery and normal Zope permissions?

The workflow will take over security computation at whatever point it
sees fit: it might remap permissions, roles, users, or even methods
themselves.  That's the plan.

> Also, where can I find out more about this workflow tool? I go to the
> portal_workflow tool's ZMI in my portal and all I get is Undo, Ownership and
> Security tabs.

In CVS it has been revised somewhat: portal_workflow is now a folder
where you can assign types to workflows.  I think it makes several
things clearer.  You should read the API documentation on the
portal_workflow tool, especially the WorkflowDefinition interface.

> It'd be great if stuff happened declaratively (if you see what I mean) rather
> than having to programmatically check whether you can do something by consulting
> the workflow tool all the time.

What do you mean?  Are you saying the workflows would manually remap
permissions?  That's actually what is done now and there are problems
with it, such as not being able to explicitly disable a role to
permission mapping without embedding role names in objects.

Shane