[Zope-PAS] role management
Jens Vagelpohl
jens at dataflake.org
Thu Jan 19 18:31:10 EST 2006
On 19 Jan 2006, at 22:55, Wichert Akkerman wrote:
> Currently adding roles through a RoleManager breaks ZODBRoleManager:
> it reads a list of all roles when it created and assumes they do not
> change after that. If you add a new role you can do that through
> a RoleManager directly, but ZODBRoleManager will not notice and
> will not
> enumerate it.
>
> Can someone enlighten me as to how roles and local roles really
> differ,
> and why every folder has both?
Roles are "global". User objects get them assigned upon creation.
Local roles are only used within the context they are defined in. So
if user "A" has role "Member" after authenticating at the root in /
acl_users, and he has a local role "Manager" in /members/A, then
security validation will recognize him as Member and Manager for all
items accessed in or underneath /members/A, but only as Member
everywhere else.
If ZODBRoleManager does not "see" global roles added after its
instantiation then that's a bug.
jens
More information about the Zope-PAS
mailing list