[Zope-PAS] Re: local roles plugins
Jens Vagelpohl
jens at dataflake.org
Mon Apr 18 04:05:01 EDT 2005
On Apr 18, 2005, at 9:17, Kapil Thangavelu wrote:
>
> On Apr 11, 2005, at 1:51 PM, Zachery Bir wrote:
>
>> On 2005-02-07 17:44:21 -0500, Kapil Thangavelu
>> <hazmat at objectrealms.net> said:
>>
>>> hi folks,
>>> i'd like to see a new plugin type for local roles plugins. the major
>>> driving reason is to enable a local roles blocking policy on
>>> containers.
>>> i've got a version of it implemented and if its sounds good i'll
>>> setup a
>>> pas branch with the code. the implementation patches propertied user
>>> and
>>> setups a new plugin type based on the following interface.
>>
>> How would this not be satisfied by writing a special user factory,
>> whose user class specifies a different behavior for
>> getRolesInContext()? This doesn't strike me as an interface that
>> needs to go into the workings of PAS itself.
>
>
> agreed. the implementation itself was briefly done as a monkey patch,
> which the previous email was an artifact of, and then changed to a
> custom user factory and user class, which delegates to an internal
> local roles plugin type. unfortunately i haven't had time to push any
> of the other changes back into pas cvs, the core modifications/monkies
> currently are just adding add/del user api implementations.
Actually, you need more than just getRolesInContext on your custom
user. "allowed" needs to be overridden as well because the version on
PropertiedUser explicitly foregoes calling getRolesInContext.
But that didn't solve all problems for my setup: Sometimes it does not
seem possible to deduce the "real" context in the overridden
getRolesInContext/allowed methods.
Imagine a structure where you have a portal with sub-portals. The PAS
instance is in the portal, and I want to manipulate roles for requests
that are done at the subportal level, based on a property of the
subportal. If the requested page (a PageTemplate for example) is using
a tool that resides in the main portal and I grab the tool inside the
template and call a method with a simple...
foo here/portal_footool/foomethod
then the "object" that is passed into "allowed" has no context
information linking it to the subportal. Its own context is the main
portal. This is a complete blocker for that approach for me right now.
At this point I'm not sure if there's a way to make this scheme work at
all for my requirements.
jens
More information about the Zope-PAS
mailing list