[Zope3-Users] PAU - how to give a principal a role
Darryl Cousins
darryl at darrylcousins.net.nz
Tue May 15 20:16:07 EDT 2007
Hi,
On Tue, 2007-05-15 at 18:02 +0200, Hermann Himmelbauer wrote:
> Hi,
> I have to write an Authenticator Plugin for my application. My login/pass data
> is stored in a relational database, which I access via zsqlalchemy.
>
> I have several objects, which are secured by certain permissions. Moreover I
> granted permissions to several roles, which I also defined.
>
> My problem is how to give users, which are stored in my database, the correct
> role (and therefore permission). If I understand it right, an Authenticator
> Plugin returns a principal, which represents a user in the database, but how
> can I map the principal to a specific role?
from zope.app.securitypolicy.interfaces import IPrincipalRoleManager
role_manager = IPrincipalRoleManager(ob)
# ob may the site or any another object
role_manager.assignRoleToPrincipal(therole, principalid)
Like Dominique I also usually assign roles to groups and the users to
the group rather than directly assigning role to the principal. (Groups
are principals).
Hope this helps
Regards,
Darryl
>
> Are principals mapped one to one from users to principals? Or should I perhaps
> map many users to one principal?
>
> What I further don't understand is if and why authenticator plugins are called
> when credentials are correctly retrieved via e.g. the
> SessionCredentialsPlugin or how I can prevent it:
>
> When the user logs in, there are no credentials and he has to supply them via
> the login form. Then he is authenticated by the AuthenticatorPlugin (e.g. the
> database is queried for user/pass), and the credentials are stored in the
> session.
>
> However, for subsequent requests, I think it makes no sense to query the
> database again, as the user has already authenticated - or am I getting
> something wrong?
>
> Best Regards,
> Hermann
>
More information about the Zope3-users
mailing list