So I spent the day writing an IAuthenticator utility that loads principals out of an RDBMS (via a SQLAlchemy mapper based model). I got that working. All I want right now is to have my site, 'presenters', have view access restricted to the role 'app.Presenters'.
The site is persistent and the authenticator is a local utility. I set up the site on load to disallow the 'zope.View' and 'zope.app.dublincore.view' (not really needed, I guess, since I'm not using dublin core anywhere) for the 'zope.Anonymous' role, and allow it for 'app.Presenters' and 'zope.Manager'. It's just a simple / blanket security policy, I know. But something similar has been in place on the Zope 2 based version of this app for a number of years now and has worked fine for this use case. But.. I have no idea how to do this in Zope 3 land. It took me all day to write my authenticator, At the end of the day I saw it working in so far as it obviously retrieved a user record out of the database, validated the password, and returned a dirt simple principal object. I could tell this by the login form giving me a different message this time ("you're not allowed to do that operation"). I tried looking at the Principal-Role map and... I don't understand it. It's very annotations oriented (the default implementation storing data in some internal table-like structure). I, obviously, don't have annotations going on right now. The hard thing is that I can't even figure out at first glance what the different security manager adapters (PrincipalRole, RolePermission, etc) are meant to adapt - a principal? an object? a site? I'm not sure how much of the interface I have to provide, what I should have it adapt (my Site object, I'm guessing?), and so on. All I want to say is "every user returned from this authenticator has the view access for this site". I'm not sure which of these I have to fill in. I'm not wanting to assign every principal coming out of the RDBMS a role mapped in the ZODB - so do I have to straddle both ZODB and RDBMS worlds here? "Mappings between principals and roles" - where? A local object? Globally? Do the answers have to include all answers from higher up the tree if there's anything? Global settings? Am I looking at the wrong thing? class IPrincipalRoleMap(Interface): """Mappings between principals and roles.""" def getPrincipalsForRole(role_id): """Get the principals that have been granted a role. Return the list of (principal id, setting) who have been assigned or removed from a role. If no principals have been assigned this role, then the empty list is returned. """ def getRolesForPrincipal(principal_id): """Get the roles granted to a principal. Return the list of (role id, setting) assigned or removed from this principal. If no roles have been assigned to this principal, then the empty list is returned. """ def getSetting(role_id, principal_id): """Return the setting for this principal, role combination """ def getPrincipalsAndRoles(): """Get all settings. Return all the principal/role combinations along with the setting for each combination as a sequence of tuples with the role id, principal id, and setting, in that order. """ -- Jeff Shell _______________________________________________ Zope3-users mailing list Zope3email@example.com http://mail.zope.org/mailman/listinfo/zope3-users