[Zope-PAS] Re: new plugin for global group roles
Kapil Thangavelu
hazmat at objectrealms.net
Wed Feb 9 02:24:26 EST 2005
On Feb 8, 2005, at 5:39 AM, Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kapil Thangavelu wrote:
>
> | afaics, the default group usage in pas only augments principal roles
> | with local group roles. at the pas sprint this pas week we put
> together
> | a role plugin which will assign global roles to a principal based on
> | direct principal grants and group grants.
>
> I'm missing something here: where are these grants made? Here is what
> I think is happening now:
>
> ~ - The ZODBRoleManager in Zope2 PAS allows assignment of roles to
> ~ either users or groups (both of which are "principals").
>
grants would be made in the same place.
> ~ - The RecursiveGroupFolder plugin scribbles a "transitive closure" of
> ~ the user's group memberships onto the user.
>
sure, for some definition of scribble ;-)
> ~ - Roles (both global and local) assigned either to the user or to one
> ~ of the user's groups are verfiied in the PropertiedUser method
> ~ 'allowed'.
>
this is where things aren't clear. the propertieduser impl of allowed
checks object access against the assigned roles global roles which does
not include group->role grants. afaics, groups are only being used when
local roles are being searched.
> How does your proposed change work with this setup?
>
exactly the same except that the role manager will do lookup of a
principal's groups in its principal to role mapping, when retrieving
principal roles. currently its a straight mapping lookup of a principal
id to roles.
cheers,
Kapil Thangavelu <hazmat at objectrealms.net> Vision Implemented
objectrealms.net <http://www.objectrealms.net>
More information about the Zope-PAS
mailing list