[Zope3-Users] PAU - how to give a principal a role

[Dominique Lederer]

Hermann Himmelbauer wrote:
> Hi,
> I have to write an Authenticator Plugin for my application. My login/pass data 
> is stored in a relational database, which I access via zsqlalchemy.
> 
> I have several objects, which are secured by certain permissions. Moreover I 
> granted permissions to several roles, which I also defined.
> 
> My problem is how to give users, which are stored in my database, the correct 
> role (and therefore permission). If I understand it right, an Authenticator 
> Plugin returns a principal, which represents a user in the database, but how 
> can I map the principal to a specific role? 
> 
> Are principals mapped one to one from users to principals? Or should I perhaps 
> map many users to one principal?

i mapped the specific roles to a user group (principal), which is then assigned
via zope.app.authentication.interfaces.IAuthenticatedPrincipalCreated
like
def addGroupToPrincipal(event):
    event.principal.groups.append("mygroup")

> What I further don't understand is if and why authenticator plugins are called 
> when credentials are correctly retrieved via e.g. the 
> SessionCredentialsPlugin or how I can prevent it:
> 
> When the user logs in, there are no credentials and he has to supply them via 
> the login form. Then he is authenticated by the AuthenticatorPlugin (e.g. the 
> database is queried for user/pass), and the credentials are stored in the 
> session.
> 
> However, for subsequent requests, I think it makes no sense to query the 
> database again, as the user has already authenticated - or am I getting 
> something wrong?

i save the time, when the authenticator authenticated its credentianls in the
database in a session, then i set a lease time, where the database is not looked
up. in this period, the user principalinfo is retrieved from the session.

so i prevent the db lookup on every request.

> 
> Best Regards,
> Hermann
> 

cheers
Dominique