On Sun, Feb 23, 2003 at 09:02:24PM +0100, Dieter Maurer wrote:
> I think (not sure, though) that Zope has the following time
> complexity for permission checking:
> If a user has "u" roles and a permission is allowed for
> "a" roles, then Zope checks for each of the "u" roles
> whether it is in the list of "a" roles.
That's correct, I just found this in lib/python/AccessControl/User.py,
in the definition of "allowed":
user_roles = self.getRoles()
for role in object_roles:
if role in user_roles:
(_check_context ensures that the object is not acquired from some
other context where this user doesn't exist.)
> The complexity is "u * a" whith can be too high for
> large "u" and "a".
Indeed... and object_roles seems likely to be bigger than user_roles
(in general, but drastically moreso in my scenario). which means
that it's quite likely we'd iterate for quite some time before
findign a match.
> It is easy to optimize this to "u + a" (via a dictionary),
> then thousands of roles should not be a problem.
would that mean you have to build a (potentially huge) dictionary every
time? I'd greatly appreciate it if you could expand on this suggestion.
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -