Am Freitag, den 16.12.2005, 07:16 -0500 schrieb Jim Fulton:
> This is only a problem if username === user id.  In both Zope 2 and
> Zope 3, these are distinct, although this isn't widely recognized or
> leveraged in Zope 2.  I don't think it is necessary to remove all
> grants to an old user *id* as long as ids are never reused.  I'd say it
> might even be useful to keep the old grants, at least for some period,
> for auditing purposed.
> If we *do* need to be able to remove all grants for a deleted user
> when we remove a user, then we need to provide an authorization system
> that makes this possible.

I think if we can guarantee never to reuse a user id, provide a tool for
doing RIP and we do not provide undo we are fine.

> By definition, there is no efficient way to iterate over all objects
> in a database, any database, unless the database is small.  If we
> need to be able to do this, we should design support into the
> authorization system that we certify.

Agreed. This would mean that the authorization system (which is policy
dependant if I understand it correctly) will have to maintain data
structures that allow efficient handling for those tasks. Right?


gocept gmbh & co. kg - schalaunische str. 6 - 06366 koethen - germany
www.gocept.com - [EMAIL PROTECTED] - phone +49 3496 30 99 112 -
fax +49 3496 30 99 118 - zope and plone consulting and development

Attachment: signature.asc
Description: This is a digitally signed message part

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to