[Zope] Role and-ing, rather than or-ing?

Etienne Labuschagne elabuschagne@gmsonline.co.za
Tue, 25 Mar 2003 17:08:21 +0200


Here is my scenario:

I have a folder Acme in my portal (and many other companies' folders - see 
great ASCII art at the end of message ;).  Only employees of Acme should be 
able to view Acme and all it's sub folders.  So, I assign the View right to 
the User role in folder Acme.  Now I must give all the employees of Acme 
the local role User to give them access to Acme's folder. So far, so good.

Now I want users of the site to be able to pay a fee to get access to 
"special" resources.  For instance, Johnny is given the local role User in 
the folder Acme (he is an employee), but also the global role, PaidUser as 
he paid for access to special resources.  This should give him access to 
special resources in the public parts of the site AND special resources 
under Acme's folder.

In the public parts (which is not a specific company's sub folder), I 
assign the View right to PaidUser in the public folder.  I assign the View 
right to both User AND PaidUser in the special resources folder under 
Acme.  My problem is that the folder will allow people with User role OR 
PaidUser role to view the folder, not people with User role AND PaidUser role.

The only solution I see is the moment I upgrade Johnny from User to 
PaidUser, I must walk through the site and find all the folder where he has 
the local role User, then change that to PaidUser.  This is quite a pain 
and doesn't feel like a great idea.

Any better suggestions?

Thanks
Etienne


ROOT ------ Acme ------ AcmeSpecial
	  |
	  |
	  -----Public ------ Public Special
             |
             |
             -----Slacme ------- SlacmeSpecial


Johnny is user on Acme, and PaidUser globally.  I would like to mark 
AcmeSpecial's view right only for people with BOTH User AND SpecialUser, 
this doesn't seem possible in Zope's security model.  PublicSpecial will 
only be marked as Viewable for PaidUser.  So Johnny should be able to see: 
Acme, AcmeSpecial, Public, PublicSpecial, but not Slacme and SlacmeSpecial.