[Zope] Local Roles and Acquisition

nwingfield at che-llp.com nwingfield at che-llp.com
Tue Sep 9 11:59:07 EDT 2003


I am developing the security model for a ZODB-based document management
Product (with a capital P).  I am only using two primary local roles:
'Viewer' and 'Owner.'  Because I wish to mimic the security model in a
Linux/UNIX environment, I would like to grant everyone at least the
'Viewer' local role on the root of the folder/document tree, but have the
option to lock down particular folders at a lower point in the tree.  For
example:

           Home (Everyone = 'Viewer')
            |
       --------------------------
       |                        |
  Joe's stuff              Sam's stuff
(Joe = 'Owner')          (Sam = 'Owner')

In this situation, I do not wish for local roles to be acquired from above.
In other words, I don't want Joe to acquire the local role of 'Viewer' when
attempting to look at Sam's stuff.

Because Zope makes the bold assertion that security should always get more
permissive the deeper one traverses the object hierarchy, is there no way
to do this short of hacking the 'getRolesInContext()' method?  I have no
interest in tweaking the permission-to-role grid on every particular folder
and document, as this system will contain an indefinite depth of folders
and a large volume of documents (hundreds of thousands).

Thanks!
Nathaniel Wingfield


More information about the Zope mailing list