[Zope-dev] LDAPRoleTwiddler / BasicUserFolder
Shane Hathaway
shane@zope.com
Thu, 17 Oct 2002 15:57:20 -0400
Dirk Datzert wrote:
>>>def getRolesInContext(self, obj):
>>> lrt = obj.acl_users # get nearest acl_users for obj (not really sure
>>>if this works ?)
>>> user = lrt.getUser ( self.getId(), self._getPassword() )
>>> return user.getRoles()
>>
>>Hmm, no, the user object is simply "self".
>>
>
> yes wrong question ;-)
>
> having the follow folder structure:
>
> /acl_users (LUF)
> /dir1/acl_users (LRT1)
> /dir2/acl_users (LRT2)
>
> if I access /dir1/index_html comes the user object from LRT1 or LUF ?
> I would expect LRT1.
You might expect that, but you probably shouldn't. :-) The user may
have roles in places other than /dir1. Let's say there's a shared
calendar object at /calendar, only certain people can access it, and for
those people it gets displayed on every page throughout the site. If
you put users in the context of the role twiddler, they won't be able to
access /dir1 and /calendar in the same request. You would be tempted to
"fix" the context checking by disabling it. You'd open a big hole. ;-)
It's better for users to exist in the context of the LUF.
> if I access /dir2/index_html comes the user object from LRT2 ?
> what if I access in /dir2/index_html aq_parent.dir1.index_html.
> Will the AUTHENTICATED_USER change ? will the user object come from LRT2
> ?
No, it will not. Only one user ever applies to a request. And whether
you get access to /dir1/index_html depends on the context of the user:
if the user appears to be in the context of /acl_users, you'll get
access (possibly excessive access), but if the user appears to be in the
context of /dir1/index_html, you won't get access, regardless of
permissions and roles.
In the real world, you don't want either extreme. You want the user to
be in the context of /acl_users, but you don't want to grant temporary
global roles like LDAPRoleExtender currently does, since that can also
open security holes. You want dynamic local roles. And the right way
to do this in Zope 2 is to override getRolesInContext().
Shane