Dirk Datzert wrote:
def getRolesInContext(self, obj):
  lrt = obj.acl_users # get nearest acl_users for obj (not really sure
if this works ?)
  user = lrt.getUser ( self.getId(), self._getPassword() )
  return user.getRoles()
Hmm, no, the user object is simply "self".

yes wrong question ;-)

having the follow folder structure:

/acl_users (LUF)
/dir1/acl_users (LRT1)
/dir2/acl_users (LRT2)

if I access /dir1/index_html comes the user object from LRT1 or LUF ?
I would expect LRT1.
You might expect that, but you probably shouldn't. :-) The user may have roles in places other than /dir1. Let's say there's a shared calendar object at /calendar, only certain people can access it, and for those people it gets displayed on every page throughout the site. If you put users in the context of the role twiddler, they won't be able to access /dir1 and /calendar in the same request. You would be tempted to "fix" the context checking by disabling it. You'd open a big hole. ;-) It's better for users to exist in the context of the LUF.

if I access /dir2/index_html comes the user object from LRT2 ?
what if I access in /dir2/index_html aq_parent.dir1.index_html.
Will the AUTHENTICATED_USER change ? will the user object come from LRT2
No, it will not. Only one user ever applies to a request. And whether you get access to /dir1/index_html depends on the context of the user: if the user appears to be in the context of /acl_users, you'll get access (possibly excessive access), but if the user appears to be in the context of /dir1/index_html, you won't get access, regardless of permissions and roles.

In the real world, you don't want either extreme. You want the user to be in the context of /acl_users, but you don't want to grant temporary global roles like LDAPRoleExtender currently does, since that can also open security holes. You want dynamic local roles. And the right way to do this in Zope 2 is to override getRolesInContext().


Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )

Reply via email to