[Zope3-dev] Mini-proposal: new principal interface in zope.security
for full closure of group membership
Gary Poster
gary at zope.com
Thu Jan 12 14:13:09 EST 2006
Primary problem:
We frequently want to know the full closure of group membership. The
groups attribute of zope.security.interfaces.IGroupAwarePrincipal is
a list of groups to which the principal directly belongs. The full
closure--including the groups to which the principal's groups belong,
for instance--must be calculated by any piece of code that needs it.
Secondary problem:
The description of
zope.security.interfaces.IGroupAwarePrincipal.groups does not
sufficiently clarify that it is *not* a full closure.
Consideration:
zope.security.interfaces.IGroupAwarePrincipal has been around for
awhile, and probably should not be materially changed (i.e., to
redefine or add an attribute).
Solution:
1) Clarify the zope.security.interfaces.IGroupAwarePrincipal.groups
description: change from
"List of ids of groups the principal belongs to"
to
"List of ids of groups to which the principal directly belongs"
2) Add an additional interface to zope.security.interfaces interface.
class IGroupClosureAwarePrincipal(IGroupAwarePrincipal):
allGroups = interface.Attribute(
'a readonly iterable of the full closure of the principal's
groups.')
3) Make the principals in zope.app.authentication implement
IGroupClosureAwarePrincipal. First cut of 'allGroups' would probably
be to make it be a lazy property, returning a tuple of the full closure.
Risks:
Some might be unhappy that allGroups is not a hook point, but a
convenience: that is, it will be a full closure, not an opportunity
to be clever to redefine how group membership is calculated.
Thoughts?
Gary
More information about the Zope3-dev
mailing list