Security internals, was Re: [Zope-dev] LOTS of roles?
Adrian van den Dries
adriand@flow.com.au
Fri, 7 Mar 2003 08:56:59 +1100
On March 5, Paul Winkler wrote:
> * more coupling
Yes.
> * performance hit
Yes.
> * one more detail to pay attention to
Yes.
> OTOH, doing the magic in user.allowed() would mean
> I'd only need one "special" UserFolder instance at the top of the
> hierarchy, and then everything else Just Works regardless of
> what folderish thing it is and all my LDAP-related code would
> be in this UserFolder class.
>
> am i overlooking something?
No, I think you've distilled the issue quite concisely.
(/me revisits LDAPUserFolder)
Looks like the work is already done for you anyway: allowed() and
friends check if the context has an attribute acl_satellite, and
queries it for any additional roles, and it even keeps a cache. You
could probably just customise the Folder to automagically place a
satellite object in it. Or otherwise borrow the logic to do what you
need.
Huzzah open-source software!
a.
--
Adrian van den Dries adriand@flow.com.au
Development team www.dev.flow.com.au
FLOW Communications Pty. Ltd. www.flow.com.au