On Sun, Feb 23, 2003 at 09:02:24PM +0100, Dieter Maurer wrote:
> I think (not sure, though) that Zope has the following time
> complexity for permission checking:
>   If a user has "u" roles and a permission is allowed for
>   "a" roles, then Zope checks for each of the "u" roles
>   whether it is in the list of "a" roles.

That's correct, I just found this in lib/python/AccessControl/User.py,
in the definition of "allowed":

   user_roles = self.getRoles()
   for role in object_roles:
       if role in user_roles:
           if self._check_context(object): 
               return 1
           return None

(_check_context ensures that the object is not acquired from some
other context where this user doesn't exist.)

>   The complexity is "u * a" whith can be too high for
>   large "u" and "a".

Indeed... and object_roles seems likely to be bigger than user_roles
(in general, but drastically moreso in my scenario). which means
that it's quite likely we'd iterate for quite some time before
findign a match.

>   It is easy to optimize this to "u + a" (via a dictionary),
>   then thousands of roles should not be a problem.

would that mean you have to build a (potentially huge) dictionary every 
time?  I'd greatly appreciate it if you could expand on this suggestion.



Paul Winkler

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to