Jim Penny <[EMAIL PROTECTED]> wrote:
> I needed a generalization of this scheme (and so ended up writing my own
> User Folder).
> We manufacture parts which are controlled by second parties, but bought
> primarily by third parties. I will call these parties Manufacturer,
> Brand Owners, and Contractors.
> I now have two kinds of administrators, and two kinds of users. There
> are unrestricted administrators and users. Since this really is
> enforced only at the user folder level (normal zope machinery is used
> elsewhere), a quick description is that an unrestricted administrator
> may create, modify or destroy any user or Brand Owner Name, and may
> associate any list of Brand owner names with any user. Any unrestricted
> user has a flag designating him as such and it is expected that
> application code check the flag and permit access to the contents held
> for Brand Owners.
> Restricted Administrators may create new users, modify users, or delete
> (some) users. However, any user they create may have only a subset of
> their brand owner name list (and their normal zope permissions).
> They may remove any of their brand names from a user that has one or
> more of the brand names under their control. They may delete users that
> have brand names only under their control. They may also create other
> administrators, subject to the subset restictions.
> Restricted Users have a brand list associated with them. Application
> logic can use this brand list to filter content.
> The restricted administrator is a big deal to us. If this takes off, we
> will not be able to properly control the set of Restricted Users (at
> Brand Owners and Contractors). Failure to do so could lead to legal
> exposure, so by creating Restricted Administrators who are Brand Owners,
> the contrl (and thus most of the legal exposure) can be shifted back to
> the Brand Owner.
This screams of ACLs for user management...
I'm having the need too, in the context of CMF.
I ended up writing an additional service (portal_directory) that has a complex
set of ACLs to mediate access to the user folder.
Some code will be released soon.
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 10 http://nuxeo.com mailto:[EMAIL PROTECTED]
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -