[Zope-dev] LOTS of roles?
Paul Winkler
pw_lists@slinkp.com
Mon, 24 Feb 2003 16:27:22 -0500
On Sun, Feb 23, 2003 at 09:02:24PM +0100, Dieter Maurer wrote:
> I think (not sure, though) that Zope has the following time
> complexity for permission checking:
>
> If a user has "u" roles and a permission is allowed for
> "a" roles, then Zope checks for each of the "u" roles
> whether it is in the list of "a" roles.
That's correct, I just found this in lib/python/AccessControl/User.py,
in the definition of "allowed":
user_roles = self.getRoles()
for role in object_roles:
if role in user_roles:
if self._check_context(object):
return 1
return None
(_check_context ensures that the object is not acquired from some
other context where this user doesn't exist.)
> The complexity is "u * a" whith can be too high for
> large "u" and "a".
Indeed... and object_roles seems likely to be bigger than user_roles
(in general, but drastically moreso in my scenario). which means
that it's quite likely we'd iterate for quite some time before
findign a match.
> It is easy to optimize this to "u + a" (via a dictionary),
> then thousands of roles should not be a problem.
would that mean you have to build a (potentially huge) dictionary every
time? I'd greatly appreciate it if you could expand on this suggestion.
Thanks!
--
Paul Winkler
http://www.slinkp.com