[Zope-dev] Local roles and security of ZClass instances in Specialists

Itai Tavor itai@optusnet.com.au
Tue, 23 Jan 2001 13:08:27 +1100 

Hi,

I'm trying to work out a security strategy for data stored in 
Specialists, where specific users need access to specific data 
instances.

For example: A Customer object is linked to a Person and Address 
objects. The customer needs permission to edit the her - and only her 
- Address object. Using the Owner local role won't work, because 
customers can be registered by site managers and customer support 
people, in which case Owner won't be the customer.

I can solve this by giving the customer a local role when creating 
her Address object:

     Customers.addCustomer(REQUEST):
         ni = container.addItem(some_id)
         container.Addresses.addAddressFor(ni.id, REQUEST)

     Addresses.addAddressFor(for_id, REQUEST):
         ni = container.addItem(some_id)
         ni.manage_addLocalRole(for_id, 'EditMyDetails')

But this can be a lot of work - If an Address object can also be 
created for a CreditCard object, addCreditCard will have to both set 
its own local role, and pass the customer id on to Address...

But the main problem is that I'm not sure if it will work at all - 
can local roles be set for DataSkins that aren't stored in the ZODB? 
 From what I can see ZPatterns doesn't support this, so I'll have to 
do it myself. __ac_local_roles__ can't be accessed in a SkinScript - 
so will I have to override has_local_roles, get_local_roles and 
get_local_roles_for_userid and call them from the SkinScript? This is 
getting hairy...

Without local roles, all I can think of is explicitly checking that 
the logged in user is the right customer in all the methods that 
display and edit the object, which is very ugly. Plus it would 
require Address to know a customer_id even when it actually belongs 
to a CreditCard, not a Customer... there goes Demeter. Or I can add a 
findUserID to Address, CreditCard and Customer, all of which pass the 
request upwards until one is reached that actually knows the 
customer. Still ugly.

TIA for Any comments/suggestions.

Itai
-- 
Itai Tavor                    "Je sautille, donc je suis."
C3Works    itai@c3works.com              - Kermit the Frog

"If you haven't got your health, you haven't got anything"