Hi, Am Freitag, den 16.12.2005, 07:16 -0500 schrieb Jim Fulton: > This is only a problem if username === user id. In both Zope 2 and > Zope 3, these are distinct, although this isn't widely recognized or > leveraged in Zope 2. I don't think it is necessary to remove all > grants to an old user *id* as long as ids are never reused. I'd say it > might even be useful to keep the old grants, at least for some period, > for auditing purposed. > > If we *do* need to be able to remove all grants for a deleted user > when we remove a user, then we need to provide an authorization system > that makes this possible.
I think if we can guarantee never to reuse a user id, provide a tool for doing RIP and we do not provide undo we are fine. > By definition, there is no efficient way to iterate over all objects > in a database, any database, unless the database is small. If we > need to be able to do this, we should design support into the > authorization system that we certify. Agreed. This would mean that the authorization system (which is policy dependant if I understand it correctly) will have to maintain data structures that allow efficient handling for those tasks. Right? Christian -- gocept gmbh & co. kg - schalaunische str. 6 - 06366 koethen - germany www.gocept.com - [EMAIL PROTECTED] - phone +49 3496 30 99 112 - fax +49 3496 30 99 118 - zope and plone consulting and development
Description: This is a digitally signed message part
_______________________________________________ Zope3-dev mailing list Zope3firstname.lastname@example.org Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com