[Zope] Permission

Tom Deprez tom.deprez@uz.kuleuven.ac.be
Wed, 09 Aug 2000 15:31:41 +0200


Hi,

I have this q'n already a long time in my head and I still don't know the
answer to it. It has to do with the security-view. I hope that someone can
shed a light on my brains.

Why is their an Acquire permission (referred to as acq_perm in following
text) checkbox column? 

In order to change a permission for a certain role, we have to check or
uncheck this permission at the roles permission checkbox. However, for this
to work we have to uncheck the acq_perm column (because if this one is
checked, the permission is taken from parent-folder-objects anyway, the
value of the role checkbox doesn't counts at that moment). As a drawback,
this means that all roles have to be checked/unchecked, because they don't
acquire the permission anymore from one of its parents-folder-objects.


Now, why couldn't this be implemented like the following? Isn't this easier
to grasp?

The Acq_perm column doesn't exists. Assume that acquisition of a permission
is always Active. The checkboxes of the role show their actual value
(according to the acquisition). Thus if permissionA is checked in the
parent-object, permissionA is also checked. If you want, for a certain role
that this permission is not given, you uncheck permissionA. The subobject
will show an unchecked permissionA box (because it acquires from its
parent). In order to give the subobject again the permission, we only have
to check permissionA.

A) In the first approach we've to uncheck the acq_perm checkbox and have to
set the checkbox of every role according to how we want the permission to
be handled by that role.

B) In the second approach we've to uncheck the permission checkbox of the
role(s). Other roles are not effected.

Am I missing something here? Is my explenation somewhere wrong? Why does
Zope uses the first approach? Which, sounds for me, a little bit more
complicated.

Thanks for any explanation!

Tom Deprez.