[Zope3-dev] Re: Mini-proposal: member-aware group interface

Thu, 12 Jan 2006 16:21:51 -0800 

Gary Poster wrote:

Problem:
We need to be able to iterate over the members of a group, given a group id. With the interfaces in zope.security, the only way to do this is to iterate over all principals known to the system, check their `groups` attribute, and if the group id is in the list then include it. This is obviously problematic. 


If we constrain ourselves to the pluggable authentication utility in  
zope.app.authentication, we have some help, but it is pretty  
inconvenient and conceivably problematic.  The following (untested  
sketch of a) approach is a good try for the common case, but won't  
handle nested authentication utilities, and relies on an interface  not 
in an interfaces.py:


from zope import component
from zope.app.authentication import interfaces
import zope.app.authentication.groupfolder

group_id = 'foo'

auth = component.getUtility(interfaces.IPluggableAuthentication)
for name in auth.authenticatorPlugins:
    plugin = component.queryUtility(
        interfaces.IAuthenticatorPlugin, name, context=auth)

    if zope.app.authentication.groupfolder.IGroupFolder.providedBy 
(plugin):

        try:
            principals = plugin.getPrincipalsForGroup(group_id)
        except KeyError:
            pass
        else:
            break
else:
    raise RuntimeError('Not Found')


Or something like that.  As I said, this doesn't even handle some of  
the more complex cases.  Whew!


Solution:
Add a new interface to zope.security.interfaces:

class IMemberAwareGroup(IGroup):
    members = interface.Attribute('an iterable of members of the  group')


Then make the groups that the zope.app.authentication.groupfolder  
plugin generates implement the new interface.



I think I'm for it, but in some cases even though groups may be able to 
list all their members it may (if they're dynamically computed) turn out 
to be a huge list. I guess in that case you could simply not advertise 
that the group implements the interface.


Florent

--
Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   [EMAIL PROTECTED]
_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com























					Reply via email to