[Zope-dev] Roles, groups and permissions: Less talk, more action! :-)

Florent Guillaume fg@nuxeo.com
Sun, 24 Mar 2002 22:51:38 +0000 (UTC)


Ok, this matches what I expected.

Here's some nitpicking :)

- I really don't like the term groups or workgroups for what you have,
  because I see them as mappings between two kinds of concepts (the
  users and the roles) whereas groups implies only one kind of thing.

- For the Blacklist part, I'd like to propose slightly different
  semantics with respect to the white and black lists. Basically I'd
  like them to be exclusive: if someone is on the whitelist he cannot
  be on the blacklist, and vice versa. This cleans up some behavior of
  the UI that the user would find nonintuitive.
  (However see my comment below, with groups we can't do that.)


The other thing we will have to resolve (and it's also true for Zope 3
anyway) is how user groups will interact with the blocking that
blacklists provide. Is the blacklist evaluated first, or is it the
whitelist ?

For instance, suppose I have a user group G1=(U1,U2,U3), and G2=(U1,U2).
Suppose G1 is in the whitelist and G2 in the blacklist.

In a system where we can grant or deny permissions to things that are
groups, we'd ideally want to be able to say
 "allow G1 except (G2 except G3)"
which cannot be decomposed in a disjoint set of "allow those " and
"deny those".

Hope I'm clear :)

Florent


Lennart Regebro <lennart@torped.se> wrote:
> Since I'm not good at explaining how I think Zopes groups and roles should
> work, I have decided to show you instead:
> 
> The patch is availible at http://www.zope.org/Members/regebro/workgroups/ .
> Just zip it up in the Products directory and restart. I won't be held
> responsible for anything even if it definitely is my fault. :-)
> 
> This is a "proof of concept" implementation. It's availiable as a
> "monkeypatch" that should work on both 2.4 and 2.5 and maybe even 2.3 and
> 2.2. The user interface is ugly, and the code is uglier, but who cares. This
> is a fast hack to show how I think it should work instead of trying to
> explain it. :-)
> 
> So, please: Check this out and say what you think. I think this a definite
> improvement.
> Another definite improvement should be switching the permissions and local
> roles pages. The roles should pop up first, and the permissions page could
> be access from that one.
-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 10  http://nuxeo.com  mailto:fg@nuxeo.com