Security internals, was Re: [Zope-dev] LOTS of roles?

Adrian van den Dries adriand@flow.com.au
Fri, 7 Mar 2003 08:56:59 +1100


On March  5, Paul Winkler wrote:
> * more coupling

Yes.

> * performance hit

Yes.

> * one more detail to pay attention to

Yes.

> OTOH, doing the magic in user.allowed() would mean 
> I'd only need one "special" UserFolder instance at the top of the
> hierarchy, and then everything else Just Works regardless of
> what folderish thing it is and all my LDAP-related code would
> be in this UserFolder class.
> 
> am i overlooking something?

No, I think you've distilled the issue quite concisely.

(/me revisits LDAPUserFolder)

Looks like the work is already done for you anyway: allowed() and
friends check if the context has an attribute acl_satellite, and
queries it for any additional roles, and it even keeps a cache.  You
could probably just customise the Folder to automagically place a
satellite object in it.  Or otherwise borrow the logic to do what you
need.

Huzzah open-source software!

a.

-- 
 Adrian van den Dries                           adriand@flow.com.au
 Development team                               www.dev.flow.com.au
 FLOW Communications Pty. Ltd.                  www.flow.com.au