[Zope-dev] LDAPRoleTwiddler / BasicUserFolder

Shane Hathaway shane@zope.com
Thu, 17 Oct 2002 15:57:20 -0400


Dirk Datzert wrote:
>>>def getRolesInContext(self, obj):
>>>   lrt = obj.acl_users # get nearest acl_users for obj (not really sure
>>>if this works ?)
>>>   user = lrt.getUser ( self.getId(), self._getPassword() )
>>>   return user.getRoles()
>>
>>Hmm, no, the user object is simply "self".
>>
> 
> yes wrong question ;-)
> 
> having the follow folder structure:
> 
> /acl_users (LUF)
> /dir1/acl_users (LRT1)
> /dir2/acl_users (LRT2)
> 
> if I access /dir1/index_html comes the user object from LRT1 or LUF ?
> I would expect LRT1.

You might expect that, but you probably shouldn't. :-)  The user may 
have roles in places other than /dir1.  Let's say there's a shared 
calendar object at /calendar, only certain people can access it, and for 
those people it gets displayed on every page throughout the site.  If 
you put users in the context of the role twiddler, they won't be able to 
access /dir1 and /calendar in the same request.  You would be tempted to 
"fix" the context checking by disabling it.  You'd open a big hole. ;-) 
  It's better for users to exist in the context of the LUF.

> if I access /dir2/index_html comes the user object from LRT2 ?
> what if I access in /dir2/index_html aq_parent.dir1.index_html.
> Will the AUTHENTICATED_USER change ? will the user object come from LRT2
> ?

No, it will not.  Only one user ever applies to a request.  And whether 
you get access to /dir1/index_html depends on the context of the user: 
if the user appears to be in the context of /acl_users, you'll get 
access (possibly excessive access), but if the user appears to be in the 
context of /dir1/index_html, you won't get access, regardless of 
permissions and roles.

In the real world, you don't want either extreme.  You want the user to 
be in the context of /acl_users, but you don't want to grant temporary 
global roles like LDAPRoleExtender currently does, since that can also 
open security holes.  You want dynamic local roles.  And the right way 
to do this in Zope 2 is to override getRolesInContext().

Shane