On Jan 13, 2006, at 12:18 AM, Jeff Shell wrote:

With all of the other principal / group mini-proposals going on, does
there need to be a way to strongly (if that's the right word) compare
a principal looked up from an id that came out of... well, somewhere
(a transaction log record, a string stored in the 'creators' dublin
core sequence, etc), or even against each other?

b3_1 = zapi.principals().getPrincipal('brcms.user.3')
b3_2 = zapi.principals().getPrincipal('brcms.user.3')
b3_1 is b3_2
b3_1 == b3_2

Comparing the id attribute works. Is it reasonable to assume that
zapi.principals().getPrincipal(request.principal.id) should return the
same principal as request.principal? And thus if
somerecord['creator_id'] == request.principal.id, that's considered a
good match?

Yes.  We compare on principal id.

I believe it would be relatively easy to set up your system in such a way that this would not be safe. For instance, you could have two sites, both with authentication utilities. If each authentication utility had the same prefix and had a user with the same key in the auth utility, then you would have two different users with identical ids in the system.

Don't do that. :-)

It might be reasonable to add a bit to the IPrincipal interface that __eq__ is provided and uses id to compare. That seems reasonable to me, but maybe others have qualms. Care to write a mini-proposal? ;-)

Zope3-dev mailing list
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to