[Zope-CMF] [dev] CMF 1.4 alpha

Florent Guillaume fg@nuxeo.com
27 Feb 2003 16:33:28 +0100 

On Thu, 2003-02-27 at 14:02, Chris Withers wrote:
> Florent Guillaume wrote:
> > Well, that a permission on the TI be used to control the viewability of
> > instances seems a bit like a hack to me (although it's not without some
> > logic I must admit). I'd much have preferred to have in the TI an
> > explicit list of roles allowed to see the instances. Same thing for
> > creation.
> 
> I disagree pretty strongly. The TI provides the meta-information for a
> piece of content. We _could_ do what DC Workflow does and provide a
> whole seperate system for managing role-permission mappings for these
> two permissions, but why do that when simply setting permissions on
> the TI could work so well? It seems pretty intuitive to me, does
> anyone apart from you find it unintuitive?

Well the Zope security model does not care about "related" objects, the
permissions on an object apply to the object and its methods. The
security model does not care for the fact that the TI is
"meta-information" on the object. That's what's unintuitive.

Setting permissions on the TI does nothing by itself for the instances.
An instance marked as "not visible" by that View permission mechanism is
still visible if you know its path.

Let's separate the problems:

- controlling viewability of instances in a folder listing depending on
their type: if that's wanted, that should be done by folder_contents.pt
by checking that the TI is visible. That's actually what contentIds
does. But that's not a core security mechanism.

- controlling viewability of the TI: there, View is fine. But what does
"View the TI" mean? A user has to get hold of a TI if it wants to check 

- controlling creation: that's really controlling the calling of the
constructInstance method on the TI. And isConstructionAllowed has to be
kept in sync. So the test for a creation permission should really be in
isConstructionAllowed.


Ok so I guess my position is now that an "Add instances" permission is
fine. Let's not reuse other permissions, it's not clean.

This doesn't prevent us from adding more fine-grained guards on the
creation, like a TALES guard. This would solve the problem of people who
want to create only certain types in certain folders.


Cheers,

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com