[Zope] permission and role questions

Keith Rohrer KRohrer@hnv.com
Wed, 14 Apr 1999 19:04:39 -0500


I'm working on designing a web application, and right now I'm particularly
scrutinizing Zope's permission model.  In trying to think how I'd use it to
do what our existing, highly custom system does today, I wonder:

1) How does one examine the logged-in user's username from DTML?  I think I
just need the variable name here...

2) Once I know the user ID, how can I get a list of places the user is
permitted, so that all users can enter via one "front door" that always
shows exactly those rooms the user may enter?

3) Is there any form of permission inheritance or impersonation implemented?
Our application interfaces with other systems, and maps some local user IDs
to remote user IDs.  Assistants log in with their own IDs, then pick a
"primary" user on whose behalf to work; the system then uses the "primary"
user's permissions and presents the "primary" user's remote credentials.
I'm thinking I'll have to do this myself, since I need to keep both IDs
around for auditing info...fortunately I'm already expecting to use a custom
authentication layer (ever try to time out a session with basic
authentication?).

4) The security screen's permission settings have "acquire" checkboxes,
whose point is obvious, and per-role checkboxes.  I take it those enable
permissions?  So we can allow inherited permissions, and we can explicitly
add permissions, but there's no way to add-only-if-inherited or
inherit-but-deny-particular-loons-anyway?  Also, the permissions on
intervening levels of the tree are not checked, only inherited, right?

5) If I define users at a high level, can I grant those users roles defined
at deeper levels?  This would make my job with point (2) much easier, as I
could create roles Foobar_Peon and Foobar_Boss in the Foobar folder, then
offer the user buttons into Foobar if they have Foobar_whatever roles...

6) Is there any plan for, or how hard would it be to implement, a "reverse"
permission manipulation screen where the role is fixed and the subsystems
are columns?


I'm largely looking at Zope and ACE--and may wind up using them in
conjunction somehow--to recommend as frameworks; ACE (plus TAO) has good RPC
and OS abstraction layers for C++, while Zope is a much richer framework for
web applications.  If I have to write in permission checking and proxy users
along with the audit trail and the actual application functionality, no
biggie...

	Keith (I may need to inhale the developer docs now...)