On Mon, 2003-02-24 at 19:07, Paul Winkler wrote: > On Mon, Feb 24, 2003 at 07:18:21PM -0300, Leonardo Rochael Almeida wrote: > > > > I don't think a multitude of roles is the way to go. The way your > > problem sounds, you need users being allowed/forbiden to do certain > > tasks depending on which part of the site they are. This is what > > local-roles are for: parameterizing the permissions of a user based on > > the location of the objects inside Zope. > > Yes, except that Oliver hit the nail on the head when he said: > > """From that I gather that your "sites" don't map 1:1 to objects into > zope, so that you cannot use local roles for that, right? > E.g, there are methods like doTaskX(location,...), where the permission > to execute that method depend on location, and location is not an object > inside zope. > """
Yes, but .getRolesInContext still gives you everything you need to know: The user object (and everything your user folder puts in there, which could include request data, such as the originating IP and time of login) and the object, including it's location and any other data you can acquire from it. > [...] > > > So I think you need dynamically calculated local roles. This can be > > achieved by a user folder that returns a user object that overrides > > ".getRolesInContext(object)" to take the location (or any other > > attribute, such as an acquired "site") of "object" and check it against > > your central authorization source (eg. LDAP). > > hmmm... now i'm leaning back this way again. > some quick testing with a large number of roles (10,000 added > via a ZEO debug session) reveals that performance does indeed > suck with that many roles. i could pursue the optimization that > Dieter suggested but i'm no longer sure that I want to; the "lots of roles" > idea was a lot more attractive when I thought it would be only > a UI issue. Instead it looks like I'd have to make substantial > changes in lib/python/AccessControl and there's a few more thousand > lines of code in there which I haven't even looked at yet. Yes. I do believe .getRolesInContex was put there to support this kind of customization. As I said in posts past, local-roles should have a more central role in the documentation, and that includes development documentation, such as local-role customization > > [...] > > Hope I made some sense :-) > > I think so. This stuff makes my head hurt. :) I feel your pain :-) Cheers, Leo -- Ideas don't stay in some minds very long because they don't like solitary confinement. _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )