Gary Poster wrote:
We frequently want to know the full closure of group membership. The
groups attribute of zope.security.interfaces.IGroupAwarePrincipal is a
list of groups to which the principal directly belongs. The full
closure--including the groups to which the principal's groups belong,
for instance--must be calculated by any piece of code that needs it.
The description of zope.security.interfaces.IGroupAwarePrincipal.groups
does not sufficiently clarify that it is *not* a full closure.
zope.security.interfaces.IGroupAwarePrincipal has been around for
awhile, and probably should not be materially changed (i.e., to
redefine or add an attribute).
1) Clarify the zope.security.interfaces.IGroupAwarePrincipal.groups
description: change from
"List of ids of groups the principal belongs to"
"List of ids of groups to which the principal directly belongs"
2) Add an additional interface to zope.security.interfaces interface.
allGroups = interface.Attribute(
'a readonly iterable of the full closure of the principal's
3) Make the principals in zope.app.authentication implement
IGroupClosureAwarePrincipal. First cut of 'allGroups' would probably
be to make it be a lazy property, returning a tuple of the full closure.
Some might be unhappy that allGroups is not a hook point, but a
convenience: that is, it will be a full closure, not an opportunity to
be clever to redefine how group membership is calculated.
+1, a long time ago I suggested something similar because in the CPS
framework of groups we need knowledge both of direct membership and
transitive closure (we have a getGroups method that's the direct groups,
and a getComputedGroups that's the transitive closure and is used for
instance when we have groups of groups).
I'm still not using the zope 3 principal framework but at some point I
know I'll need it in zope 3 too :)
Do you think your interfaces fit the need of "computed" groups? I'm not
sure if the meaning of "computed" is clear but I can expand on that if
it's not (for instance, it could be for the case where groups exist
dynamically according to some computation on the prinicpal's properties).
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
Zope3-dev mailing list