Re: [Zope3-Users] PAU - how to give a principal a role
Hi, On Tue, 2007-05-15 at 18:02 +0200, Hermann Himmelbauer wrote: > Hi, > I have to write an Authenticator Plugin for my application. My login/pass > data > is stored in a relational database, which I access via zsqlalchemy. > > I have several objects, which are secured by certain permissions. Moreover I > granted permissions to several roles, which I also defined. > > My problem is how to give users, which are stored in my database, the correct > role (and therefore permission). If I understand it right, an Authenticator > Plugin returns a principal, which represents a user in the database, but how > can I map the principal to a specific role? from zope.app.securitypolicy.interfaces import IPrincipalRoleManager role_manager = IPrincipalRoleManager(ob) # ob may the site or any another object role_manager.assignRoleToPrincipal(therole, principalid) Like Dominique I also usually assign roles to groups and the users to the group rather than directly assigning role to the principal. (Groups are principals). Hope this helps Regards, Darryl > > Are principals mapped one to one from users to principals? Or should I > perhaps > map many users to one principal? > > What I further don't understand is if and why authenticator plugins are > called > when credentials are correctly retrieved via e.g. the > SessionCredentialsPlugin or how I can prevent it: > > When the user logs in, there are no credentials and he has to supply them via > the login form. Then he is authenticated by the AuthenticatorPlugin (e.g. the > database is queried for user/pass), and the credentials are stored in the > session. > > However, for subsequent requests, I think it makes no sense to query the > database again, as the user has already authenticated - or am I getting > something wrong? > > Best Regards, > Hermann > ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] PAU - how to give a principal a role
Hermann Himmelbauer wrote: > Hi, > I have to write an Authenticator Plugin for my application. My login/pass > data > is stored in a relational database, which I access via zsqlalchemy. > > I have several objects, which are secured by certain permissions. Moreover I > granted permissions to several roles, which I also defined. > > My problem is how to give users, which are stored in my database, the correct > role (and therefore permission). If I understand it right, an Authenticator > Plugin returns a principal, which represents a user in the database, but how > can I map the principal to a specific role? > > Are principals mapped one to one from users to principals? Or should I > perhaps > map many users to one principal? i mapped the specific roles to a user group (principal), which is then assigned via zope.app.authentication.interfaces.IAuthenticatedPrincipalCreated like def addGroupToPrincipal(event): event.principal.groups.append("mygroup") > What I further don't understand is if and why authenticator plugins are > called > when credentials are correctly retrieved via e.g. the > SessionCredentialsPlugin or how I can prevent it: > > When the user logs in, there are no credentials and he has to supply them via > the login form. Then he is authenticated by the AuthenticatorPlugin (e.g. the > database is queried for user/pass), and the credentials are stored in the > session. > > However, for subsequent requests, I think it makes no sense to query the > database again, as the user has already authenticated - or am I getting > something wrong? i save the time, when the authenticator authenticated its credentianls in the database in a session, then i set a lease time, where the database is not looked up. in this period, the user principalinfo is retrieved from the session. so i prevent the db lookup on every request. > > Best Regards, > Hermann > cheers Dominique ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] PAU - how to give a principal a role
Hi, I have to write an Authenticator Plugin for my application. My login/pass data is stored in a relational database, which I access via zsqlalchemy. I have several objects, which are secured by certain permissions. Moreover I granted permissions to several roles, which I also defined. My problem is how to give users, which are stored in my database, the correct role (and therefore permission). If I understand it right, an Authenticator Plugin returns a principal, which represents a user in the database, but how can I map the principal to a specific role? Are principals mapped one to one from users to principals? Or should I perhaps map many users to one principal? What I further don't understand is if and why authenticator plugins are called when credentials are correctly retrieved via e.g. the SessionCredentialsPlugin or how I can prevent it: When the user logs in, there are no credentials and he has to supply them via the login form. Then he is authenticated by the AuthenticatorPlugin (e.g. the database is queried for user/pass), and the credentials are stored in the session. However, for subsequent requests, I think it makes no sense to query the database again, as the user has already authenticated - or am I getting something wrong? Best Regards, Hermann -- [EMAIL PROTECTED] GPG key ID: 299893C7 (on keyservers) FP: 0124 2584 8809 EF2A DBF9 4902 64B4 D16B 2998 93C7 ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users