Re: [Zope3-Users] Granting roles automatically ?

2006-11-01 Thread Dominique Lederer
Stephan Richter schrieb:
 On Friday 27 October 2006 06:57, Thierry Florac wrote:
 What I'd like to do is to be able to grant a set of roles automatically
 to my internal principals authenticated via LDAP. Is it possible ?
 
 Yes, create some groups and grant them permissions and roles. You then listen 
 to the IPrincipalCreated event and attach the group(s), if they are coming 
 from LDAP.
 
 Regards,
 Stephan

hi, my questions are similar to this:

i would like to implement my own permissions on my package.
as far as i unterstood, i would to the following steps:

- first i create some custom permissions and roles
- then i grant the permissions to roles.
- after that i create some global principals, which i assign my roles.
These principals are my groups.

This is all done by ZCML configuration stuff in my package, the groups
are defined as principals in /etc/principals.zcml

is this right so far?

next steps:
-users are located outside of ZODB (lets say a simple mysql table with
login, password, group as attributes), so i would write a PAU
Authenticator Plugin.
-This plugin i would register in my sites PAU. if everything goes right,
i can now login with users from the external database.
- then i have to listen to IPrincipalCreated event and attach the
group(s), depending on the group entry in my mysql table. (Do i have
to make a second query here or is it possible to retrieve the group
information via the auth plugin?)

im i thinking right here? i just want to make sure i unterstood this,
before work begins.

thanks!
Dom
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users


Re: [Zope3-Users] Granting roles automatically ?

2006-11-01 Thread Stephan Richter
On Wednesday 01 November 2006 10:18, Dominique Lederer wrote:
 i would like to implement my own permissions on my package.
 as far as i unterstood, i would to the following steps:

 - first i create some custom permissions and roles
 - then i grant the permissions to roles.
 - after that i create some global principals, which i assign my roles.
 These principals are my groups.

 This is all done by ZCML configuration stuff in my package, the groups
 are defined as principals in /etc/principals.zcml

 is this right so far?

That's one way to do it, yes. We do almost the same, except that our groups 
live in the ZODB and are created when we create a site using the 
configurator. However, we have an ASP solution, so we need to make sure that 
if User U is in Group G in Site 1, then he is not in Group G in Site 2. You 
might not have this requirement, so doing global declarations is fine.

Having the groups in the ZODB allows you also to just set the members on the 
group. The framework does the rest. Again, this might not be desirable for 
external users.

 next steps:
 -users are located outside of ZODB (lets say a simple mysql table with
 login, password, group as attributes), so i would write a PAU
 Authenticator Plugin.

Correct.

 -This plugin i would register in my sites PAU. if everything goes right,
 i can now login with users from the external database.

Yes.

 - then i have to listen to IPrincipalCreated event and attach the
 group(s), depending on the group entry in my mysql table.

Correct.

 (Do i have 
 to make a second query here or is it possible to retrieve the group
 information via the auth plugin?)

You can have that info in the principal info of the auth plugin.

 im i thinking right here? i just want to make sure i unterstood this,
 before work begins.

Yep, looks all good.

Regards,
Stephan
-- 
Stephan Richter
CBU Physics  Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users


Re: [Zope3-Users] Granting roles automatically ?

2006-10-30 Thread Stephan Richter
On Friday 27 October 2006 06:57, Thierry Florac wrote:
 What I'd like to do is to be able to grant a set of roles automatically
 to my internal principals authenticated via LDAP. Is it possible ?

Yes, create some groups and grant them permissions and roles. You then listen 
to the IPrincipalCreated event and attach the group(s), if they are coming 
from LDAP.

Regards,
Stephan
-- 
Stephan Richter
CBU Physics  Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users