[Zope-dev] [Zope Enhancement Proposal] Sanitizing local roles

Thu Jul 22 15:35:24 EDT 2004

I would very much apreciate such an enhancment.

so ++1

I would like to see where a role was assigned.
And If I can express yet an other wish:
I would very much like to have a way to see what the settings for a 
particular User is. And where the settings for a given permissions have 
come from.

Robert

Dieter Maurer wrote:
> Local roles are "acquired" from ancestors.
> 
> While this is not bad for e.g. a "Manager" local role,
> its conceptual usefulness is in great doubt for e.g. the "Owner" role.
> It is very unclear why an "Owner" of a folder should automatically
> be an "Owner" of all its content.
> 
> I therefore propose to make "acquisition" of local roles
> customizable.
> 
> I see two potential variants:
> 
>  1. objects get a boolean flag "__ac_acquire_local_roles__"
>     with default value "True" which allows "acquisition"
>     of all local roles.
> 
>  2. objects get a dictionary "__ac_acquire_local_roles__"
>     mapping role names to a boolean which allows acquisition
>     for the respective role.
> 
> Of course, the second variant provides more fine grained control
> and will require a more complex UI.
> 
> The change would affect the methods "allowed" and "getRolesInContext".
> of "AccessControl.User.BasicUser" and would require
> new methods in "AccessControl.Role.RoleManager" to
> read and modify the new "__ac_acquire_local_roles__".
> 
> 
> Moreover, I propose to change the local role management pages.
> When setting local roles, information about "acquired"
> local role definitions is very helpful.
> I therefore propose to display this information on the local
> role edit page.
> 
> 
> I even would prefer a much more drastic change for both
> local role management and permission-role-map management:
> a compact look only overview mapping roles to users
> and permission to roles, respectively, with links to
> a page to edit the association of a single role or permission,
> respectively. Something like:
> 
>   Role	      |  acquire |  locally assigned users| ancestor assigned users
>   -------------------------------------------------------------------------
>   Owner       |   no     |  dieter                | admin, dieter
>   -------------------------------------------------------------------------
>   Manager     |   yes    |  dieter                | admin
>   -------------------------------------------------------------------------
> 
>   The "Role" column is a link to a page to edit "acquire"
>   and "locally assigned users" for the respective role.
> 
> 
> Advantages:
> 
>  * more natural behaviour for roles like "Owner"
> 
>  * access restricted sub-sites would be much easier to implement
> 
>  * more informative management pages
> 
> 
> Risks:
> 
>  * Classes deriving from "AccessControl.BasicUser" may have
>    overridden "allowed" and "getRolesInContext".
> 
>    Such overridden methods would not interpret "__ac_acquire_local_roles__"
>    until adapted.
> 
>    Fortunately, it is not very likely that these two methods
>    are overridden.
> 
>  * Local roles get a bit more complex.
> 
>    However, explicit "acquisition" control is already used
>    for the permission role mapping. Thus, users could
>    recognize the same concept.
> 
>  * The 2.8/2.9 edition of the Zope Book would need to be adapted.
> 
> 
> If there is interest,
> I could implement the changes and provide patches
> against the Zope SVN version.
> However, I do not have write permissions to the repository.
> This means, someone else would need to make the actual checkins.
> 
> 
> BTW: Almost surely, I will implement the proposed change in our
>   "private" Zope copy and use it in one of our projects.
>   This means, I could provide "production experience" for the
>   change in some months.
> 