[Zope-dev] LOTS of roles?

Leonardo Rochael Almeida leo@hiper.com.br
24 Feb 2003 21:00:25 -0300


On Mon, 2003-02-24 at 19:07, Paul Winkler wrote:
> On Mon, Feb 24, 2003 at 07:18:21PM -0300, Leonardo Rochael Almeida wrote:
> > 
> > I don't think a multitude of roles is the way to go. The way your
> > problem sounds, you need users being allowed/forbiden to do certain
> > tasks depending on which part of the site they are. This is what
> > local-roles are for: parameterizing the permissions of a user based on
> > the location of the objects inside Zope.
> 
> Yes, except that Oliver hit the nail on the head when he said:
> 
> """From that I gather that your "sites" don't map 1:1 to objects into
> zope, so that you cannot use local roles for that, right?
> E.g, there are methods like doTaskX(location,...), where the permission
> to execute that method depend on location, and location is not an object
> inside zope.
> """

Yes, but .getRolesInContext still gives you everything you need to know:
The user object (and everything your user folder puts in there, which
could include request data, such as the originating IP and time of
login) and the object, including it's location and any other data you
can acquire from it.

> [...]
> 
> > So I think you need dynamically calculated local roles. This can be
> > achieved by a user folder that returns a user object that overrides
> > ".getRolesInContext(object)" to take the location (or any other
> > attribute, such as an acquired "site") of "object" and check it against
> > your central authorization source (eg. LDAP).
> 
> hmmm... now i'm leaning back this way again.
> some quick testing with a large number of roles (10,000 added
> via a ZEO debug session) reveals that performance does indeed
> suck with that many roles. i could pursue the optimization that 
> Dieter suggested but i'm no longer sure that I want to; the "lots of roles"
> idea was a lot more attractive when I thought it would be only
> a UI issue.  Instead it looks like I'd have to make substantial
> changes in lib/python/AccessControl and there's a few more thousand
> lines of code in there which I haven't even looked at yet.

Yes. I do believe .getRolesInContex was put there to support this kind
of customization.

As I said in posts past, local-roles should have a more central role in
the documentation, and that includes development documentation, such as
local-role customization

> 
> [...]
> > Hope I made some sense :-)
> 
> I think so. This stuff makes my head hurt. :)

I feel your pain :-)

Cheers, Leo

-- 
Ideas don't stay in some minds very long because they don't like
solitary confinement.