[Zope3-dev] Permissions and workflow
Shane Hathaway
shane@zope.com
Wed, 19 Dec 2001 10:56:15 -0500
Lennart Regebro wrote:
> I guess the functionality to have different permission in different workflow
> states will be used mainly for two things:
> 1. Protecting the workflow transitions, so that only people with the correct
> rights can move the object from state A to State B.
> 2. Protecting the visibility of non-published objects.
>
> Number one is internal to the workflow system, and therefore poses no
> challenge, but number two protects a method native to the object and is
> therefore slightly more complex.
Right. I would generalize requirement #2 to "Protecting
non-workflow-aware methods based on workflow status."
> If there is a method in your object wheer you want people to have different
> permissions depending on what the workflow-state is, then you can't use the
> config file to set permissions because they are static. Instead you have to
> make a check inside the method, right?
>
> Now, how can this check be done easily without the object in itself having
> knowledge about the workflow configuration? It seems to me that the only
> alternative is that the workflow service has a security check of it's own,
> so that you can set up a role to permissions mapping there that is sensitive
> to the workflow state.
I think what Jim has in mind is that you'll be able to register a local
roles adapter for arbitrary objects. For workflowed objects, you'll
register an adapter that is aware of workflow state, and map different
people to different roles depending on the state. I think it could work
very well, assuming I have accurately guessed Jim's intentions. :-)
Shane