On Sun, Feb 23, 2003 at 09:02:24PM +0100, Dieter Maurer wrote: > I think (not sure, though) that Zope has the following time > complexity for permission checking: > > If a user has "u" roles and a permission is allowed for > "a" roles, then Zope checks for each of the "u" roles > whether it is in the list of "a" roles.
That's correct, I just found this in lib/python/AccessControl/User.py, in the definition of "allowed": user_roles = self.getRoles() for role in object_roles: if role in user_roles: if self._check_context(object): return 1 return None (_check_context ensures that the object is not acquired from some other context where this user doesn't exist.) > The complexity is "u * a" whith can be too high for > large "u" and "a". Indeed... and object_roles seems likely to be bigger than user_roles (in general, but drastically moreso in my scenario). which means that it's quite likely we'd iterate for quite some time before findign a match. > It is easy to optimize this to "u + a" (via a dictionary), > then thousands of roles should not be a problem. would that mean you have to build a (potentially huge) dictionary every time? I'd greatly appreciate it if you could expand on this suggestion. Thanks! -- Paul Winkler http://www.slinkp.com _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )