[Zope-PAS] role management
Jens Vagelpohl
jens at dataflake.org
Sat Jan 21 11:10:31 EST 2006
On 21 Jan 2006, at 15:37, Wichert Akkerman wrote:
> Previously Jens Vagelpohl wrote:
>> Roles are "global". User objects get them assigned upon creation.
>
> Upon creation of what?
The user object.
>> If ZODBRoleManager does not "see" global roles added after its
>> instantiation then that's a bug.
>
> ZODBRoleManager only adds and updates roles in itself and never in the
> RoleManager, which suggests that it is meant to take over global role
> management completely. So I'm thinking that it should either indeed
> take
> that role and implement an interface for it, or not and always use
> __ac_roles__ from the closest containing RoleManager instead of using
> its internal data structure.
The ZODBRoleManager (or anything implementing the requisite PAS
plugin interfaces) is a bit removed from the normal RoleManager bit.
There is no automatic synchronization between what the
ZODBRoleManager shows in its Role tab and what shows up in the
Security tab on RoleManagers.
Basically, what's shown in the ZODBRoleManager Roles tab tells you
"these are the roles that this role manager can hand out to users". I
personally would consider it too much magic if adding a role here
would automatically add it to the Security tab on either the
enclosing container or the root. If you have a need to make a
RoleManager role available to the ZODBRoleManager and vice versa you
will need to do this with an explicit gesture at this point, meaning
manually. So in essence the ZODBRoleManager has nothing to do with
managing the standard RoleManager roles.
jens
More information about the Zope-PAS
mailing list