[Zope3-dev] Re: full closure of group membership
Florent Guillaume
fg at nuxeo.com
Thu Jan 12 19:16:09 EST 2006
Gary Poster wrote:
> Primary problem:
> We frequently want to know the full closure of group membership. The
> groups attribute of zope.security.interfaces.IGroupAwarePrincipal is a
> list of groups to which the principal directly belongs. The full
> closure--including the groups to which the principal's groups belong,
> for instance--must be calculated by any piece of code that needs it.
>
> Secondary problem:
> The description of zope.security.interfaces.IGroupAwarePrincipal.groups
> does not sufficiently clarify that it is *not* a full closure.
>
> Consideration:
> zope.security.interfaces.IGroupAwarePrincipal has been around for
> awhile, and probably should not be materially changed (i.e., to
> redefine or add an attribute).
>
> Solution:
>
> 1) Clarify the zope.security.interfaces.IGroupAwarePrincipal.groups
> description: change from
> "List of ids of groups the principal belongs to"
> to
> "List of ids of groups to which the principal directly belongs"
>
> 2) Add an additional interface to zope.security.interfaces interface.
>
> class IGroupClosureAwarePrincipal(IGroupAwarePrincipal):
> allGroups = interface.Attribute(
> 'a readonly iterable of the full closure of the principal's
> groups.')
>
> 3) Make the principals in zope.app.authentication implement
> IGroupClosureAwarePrincipal. First cut of 'allGroups' would probably
> be to make it be a lazy property, returning a tuple of the full closure.
>
> Risks:
> Some might be unhappy that allGroups is not a hook point, but a
> convenience: that is, it will be a full closure, not an opportunity to
> be clever to redefine how group membership is calculated.
+1, a long time ago I suggested something similar because in the CPS
framework of groups we need knowledge both of direct membership and
transitive closure (we have a getGroups method that's the direct groups,
and a getComputedGroups that's the transitive closure and is used for
instance when we have groups of groups).
I'm still not using the zope 3 principal framework but at some point I
know I'll need it in zope 3 too :)
Do you think your interfaces fit the need of "computed" groups? I'm not
sure if the meaning of "computed" is clear but I can expand on that if
it's not (for instance, it could be for the case where groups exist
dynamically according to some computation on the prinicpal's properties).
Florent
--
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope3-dev
mailing list