So I spent the day writing an IAuthenticator utility that loads
principals out of an RDBMS (via a SQLAlchemy mapper based model). I
got that working. All I want right now is to have my site,
'presenters', have view access restricted to the role
The site is persistent and the authenticator is a local utility. I set
up the site on load to disallow the 'zope.View' and
'zope.app.dublincore.view' (not really needed, I guess, since I'm not
using dublin core anywhere) for the 'zope.Anonymous' role, and allow
it for 'app.Presenters' and 'zope.Manager'. It's just a simple /
blanket security policy, I know. But something similar has been in
place on the Zope 2 based version of this app for a number of years
now and has worked fine for this use case.
But.. I have no idea how to do this in Zope 3 land. It took me all day
to write my authenticator, At the end of the day I saw it working in
so far as it obviously retrieved a user record out of the database,
validated the password, and returned a dirt simple principal object. I
could tell this by the login form giving me a different message this
time ("you're not allowed to do that operation"). I tried looking at
the Principal-Role map and... I don't understand it. It's very
annotations oriented (the default implementation storing data in some
internal table-like structure). I, obviously, don't have annotations
going on right now. The hard thing is that I can't even figure out at
first glance what the different security manager adapters
(PrincipalRole, RolePermission, etc) are meant to adapt - a principal?
an object? a site? I'm not sure how much of the interface I have to
provide, what I should have it adapt (my Site object, I'm guessing?),
and so on.
All I want to say is "every user returned from this authenticator has
the view access for this site".
I'm not sure which of these I have to fill in. I'm not wanting to
assign every principal coming out of the RDBMS a role mapped in the
ZODB - so do I have to straddle both ZODB and RDBMS worlds here?
"Mappings between principals and roles" - where? A local object?
Globally? Do the answers have to include all answers from higher up
the tree if there's anything? Global settings? Am I looking at the
"""Mappings between principals and roles."""
"""Get the principals that have been granted a role.
Return the list of (principal id, setting) who have been assigned or
removed from a role.
If no principals have been assigned this role,
then the empty list is returned.
"""Get the roles granted to a principal.
Return the list of (role id, setting) assigned or removed from
If no roles have been assigned to
this principal, then the empty list is returned.
def getSetting(role_id, principal_id):
"""Return the setting for this principal, role combination
"""Get all settings.
Return all the principal/role combinations along with the
setting for each combination as a sequence of tuples with the
role id, principal id, and setting, in that order.
Zope3-users mailing list