Re: [Zope3-Users] PAU - how to give a principal a role
Hi, On Tue, 2007-05-15 at 18:02 +0200, Hermann Himmelbauer wrote: > Hi, > I have to write an Authenticator Plugin for my application. My login/pass > data > is stored in a relational database, which I access via zsqlalchemy. > > I have several objects, which are secured by certain permissions. Moreover I > granted permissions to several roles, which I also defined. > > My problem is how to give users, which are stored in my database, the correct > role (and therefore permission). If I understand it right, an Authenticator > Plugin returns a principal, which represents a user in the database, but how > can I map the principal to a specific role? from zope.app.securitypolicy.interfaces import IPrincipalRoleManager role_manager = IPrincipalRoleManager(ob) # ob may the site or any another object role_manager.assignRoleToPrincipal(therole, principalid) Like Dominique I also usually assign roles to groups and the users to the group rather than directly assigning role to the principal. (Groups are principals). Hope this helps Regards, Darryl > > Are principals mapped one to one from users to principals? Or should I > perhaps > map many users to one principal? > > What I further don't understand is if and why authenticator plugins are > called > when credentials are correctly retrieved via e.g. the > SessionCredentialsPlugin or how I can prevent it: > > When the user logs in, there are no credentials and he has to supply them via > the login form. Then he is authenticated by the AuthenticatorPlugin (e.g. the > database is queried for user/pass), and the credentials are stored in the > session. > > However, for subsequent requests, I think it makes no sense to query the > database again, as the user has already authenticated - or am I getting > something wrong? > > Best Regards, > Hermann > ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] PAU - how to give a principal a role
Hermann Himmelbauer wrote: > Hi, > I have to write an Authenticator Plugin for my application. My login/pass > data > is stored in a relational database, which I access via zsqlalchemy. > > I have several objects, which are secured by certain permissions. Moreover I > granted permissions to several roles, which I also defined. > > My problem is how to give users, which are stored in my database, the correct > role (and therefore permission). If I understand it right, an Authenticator > Plugin returns a principal, which represents a user in the database, but how > can I map the principal to a specific role? > > Are principals mapped one to one from users to principals? Or should I > perhaps > map many users to one principal? i mapped the specific roles to a user group (principal), which is then assigned via zope.app.authentication.interfaces.IAuthenticatedPrincipalCreated like def addGroupToPrincipal(event): event.principal.groups.append("mygroup") > What I further don't understand is if and why authenticator plugins are > called > when credentials are correctly retrieved via e.g. the > SessionCredentialsPlugin or how I can prevent it: > > When the user logs in, there are no credentials and he has to supply them via > the login form. Then he is authenticated by the AuthenticatorPlugin (e.g. the > database is queried for user/pass), and the credentials are stored in the > session. > > However, for subsequent requests, I think it makes no sense to query the > database again, as the user has already authenticated - or am I getting > something wrong? i save the time, when the authenticator authenticated its credentianls in the database in a session, then i set a lease time, where the database is not looked up. in this period, the user principalinfo is retrieved from the session. so i prevent the db lookup on every request. > > Best Regards, > Hermann > cheers Dominique ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users