Problem:
We need to be able to iterate over the members of a group, given a
group id. With the interfaces in zope.security, the only way to do
this is to iterate over all principals known to the system, check
their `groups` attribute, and if the group id is in the list then
include it. This is obviously problematic.
If we constrain ourselves to the pluggable authentication utility in
zope.app.authentication, we have some help, but it is pretty
inconvenient and conceivably problematic. The following (untested
sketch of a) approach is a good try for the common case, but won't
handle nested authentication utilities, and relies on an interface
not in an interfaces.py:
from zope import component
from zope.app.authentication import interfaces
import zope.app.authentication.groupfolder
group_id = 'foo'
auth = component.getUtility(interfaces.IPluggableAuthentication)
for name in auth.authenticatorPlugins:
plugin = component.queryUtility(
interfaces.IAuthenticatorPlugin, name, context=auth)
if zope.app.authentication.groupfolder.IGroupFolder.providedBy
(plugin):
try:
principals = plugin.getPrincipalsForGroup(group_id)
except KeyError:
pass
else:
break
else:
raise RuntimeError('Not Found')
Or something like that. As I said, this doesn't even handle some of
the more complex cases. Whew!
Solution:
Add a new interface to zope.security.interfaces:
class IMemberAwareGroup(IGroup):
members = interface.Attribute('an iterable of members of the
group')
Then make the groups that the zope.app.authentication.groupfolder
plugin generates implement the new interface.
Risks:
None known, other than the fact that applications that depend on the
new interface might fail when they encounter simple groups.
Thoughts?
Gary
_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com