So I spent the day writing an IAuthenticator utility that loads
principals out of an RDBMS (via a SQLAlchemy mapper based model). I
got that working. All I want right now is to have my site,
'presenters', have view access restricted to the role

The site is persistent and the authenticator is a local utility. I set
up the site on load to disallow the 'zope.View' and
'' (not really needed, I guess, since I'm not
using dublin core anywhere) for the 'zope.Anonymous' role, and allow
it for 'app.Presenters' and 'zope.Manager'. It's just a simple /
blanket security policy, I know. But something similar has been in
place on the Zope 2 based version of this app for a number of years
now and has worked fine for this use case.

But.. I have no idea how to do this in Zope 3 land. It took me all day
to write my authenticator, At the end of the day I saw it working in
so far as it obviously retrieved a user record out of the database,
validated the password, and returned a dirt simple principal object. I
could tell this by the login form giving me a different message this
time ("you're not allowed to do that operation"). I tried looking at
the Principal-Role map and... I don't understand it. It's very
annotations oriented (the default implementation storing data in some
internal table-like structure). I, obviously, don't have annotations
going on right now. The hard thing is that I can't even figure out at
first glance what the different security manager adapters
(PrincipalRole, RolePermission, etc) are meant to adapt - a principal?
an object? a site? I'm not sure how much of the interface I have to
provide, what I should have it adapt (my Site object, I'm guessing?),
and so on.

All I want to say is "every user returned from this authenticator has
the view access for this site".

I'm not sure which of these I have to fill in. I'm not wanting to
assign every principal coming out of the RDBMS a role mapped in the
ZODB - so do I have to straddle both ZODB and RDBMS worlds here?
"Mappings between principals and roles" - where? A local object?
Globally? Do the answers have to include all answers from higher up
the tree if there's anything? Global settings? Am I looking at the
wrong thing?

class IPrincipalRoleMap(Interface):
    """Mappings between principals and roles."""

    def getPrincipalsForRole(role_id):
        """Get the principals that have been granted a role.

        Return the list of (principal id, setting) who have been assigned or
        removed from a role.

        If no principals have been assigned this role,
        then the empty list is returned.

    def getRolesForPrincipal(principal_id):
        """Get the roles granted to a principal.

        Return the list of (role id, setting) assigned or removed from
        this principal.

        If no roles have been assigned to
        this principal, then the empty list is returned.

    def getSetting(role_id, principal_id):
        """Return the setting for this principal, role combination

    def getPrincipalsAndRoles():
        """Get all settings.

        Return all the principal/role combinations along with the
        setting for each combination as a sequence of tuples with the
        role id, principal id, and setting, in that order.

Jeff Shell
Zope3-users mailing list

Reply via email to