RE: [Zope-dev] acl_users
> > In AccessControl/User.py, acl_users is used as the name of user folder > > objects in their classes, and in the constructor, code checks for an > > existing "acl_users" object to prevent dual-adding user folders. This > > could be changed to check whether __allow_groups__ has an id, and then > > checking whether that 'id' exists. > > I've read through all the Zope source that uses __allow_groups__, so I > think I know what it is used for. > > What I can't work out is, why is this value called __allow_groups__ ? > > Can anyone offer any insight? Long ago, when the sky was dark and the earth boiled and the primordial elements of Zope were brewing, __allow_groups__ was a simple dictionary-like thing that was generally hard-coded in applications to control access (and the publisher used it directly). As the earth cooled and simple life began to emerge, the __allow_groups__ structures became manageable through the web in a relatively rudimentary way (but still looked a lot like simple dicts to the publisher). By the time the hairy mammals began walking upright and Zope assumed the general form we see today, the publisher expected __allow_groups__ to be either a dict-like object or to have a 'validate' method. In theory, it still supports the old dict behavior today. Maybe not insight, but a little history at least... 8^) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] acl_users
Phillip J. Eby wrote: > > In AccessControl/User.py, acl_users is used as the name of user folder > objects in their classes, and in the constructor, code checks for an > existing "acl_users" object to prevent dual-adding user folders. This > could be changed to check whether __allow_groups__ has an id, and then > checking whether that 'id' exists. I've read through all the Zope source that uses __allow_groups__, so I think I know what it is used for. What I can't work out is, why is this value called __allow_groups__ ? Can anyone offer any insight? -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] acl_users
"Phillip J. Eby" wrote: > > At 07:55 PM 9/20/00 -0600, Bill Anderson wrote: > > > >Potentially silly question: > > > >Any reason why a 'user folder' object has to be named 'acl_users'. > > > > Interesting. A quick search of the Zope source turns up only 9 references > to 'acl_users', found in only 4 source files. > Personally, I think it's an intriguing idea, as I have had more than one > application where I would rather have called a LoginManager by some name > other than 'acl_users'. But I'm not sure it would be worth the work. One of the ideas I am kicking around is that of CommunityMembershipSystem. In Membership-CMS, a user folder owuld need to be made, to house the user's objects. Now, there are a few ways of doing this...here are two: 1) Have the install method add a folder to do this with 2) Have the objects stored in the user object. Both have their ups and downs. For example, (2) would not deperate UID from URL's too cleanly; though it would be easier to implement in short order. Meanwhile, (1) requires the install method be given more information (where to put the folder?), and could be trickier to debug. In (2), the url to the member's folder would be "/Members/username" instead of /acl_users/username", provided the userfolder could be named something else. I don't see a reason off hand for a UserFolder to be renamable. Another reason I have considered it, is that it lends a _weak_ amount of security-through-obscurity. For example, if you see the following in a URL ".../acl_users/loginForm", you know that the site is running Zope, and where the authorization takes place. I dunno if I like it being _that_ obvious. -- E PLURIBUS LINUX ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] acl_users
At 07:55 PM 9/20/00 -0600, Bill Anderson wrote: > >Potentially silly question: > >Any reason why a 'user folder' object has to be named 'acl_users'. > Interesting. A quick search of the Zope source turns up only 9 references to 'acl_users', found in only 4 source files. In OFS/Application.py, acl_users is the name of the default user folder. No change would be needed here to allow differently named user folders. In AccessControl/User.py, acl_users is used as the name of user folder objects in their classes, and in the constructor, code checks for an existing "acl_users" object to prevent dual-adding user folders. This could be changed to check whether __allow_groups__ has an id, and then checking whether that 'id' exists. In AccessControl/Role.py, acl_users is assumed to be the name of a user folder to be used for retrieving user names. However, there is no reason this code couldn't check for __allow_groups__ instead. In AccessControl/access.dtml, certain security options (creating user-defined roles) are suppressed if the managed object has an id of 'acl_users'. I'm not sure how to patch this one. It would probably make sense to have a class attribute for user folders which overrode a default in AccessControl.Role.RoleManager. e.g. "allowSettingUserDefinedRoles" or some such. With these straightforward (but not necessarily simple) changes, Zope could be made to support the presence of user folders with other names. If it was desired to have it support adding or renaming of user folders with other names, additional changes would be required. For example, the add form for a user folder. Personally, I think it's an intriguing idea, as I have had more than one application where I would rather have called a LoginManager by some name other than 'acl_users'. But I'm not sure it would be worth the work. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )