On Wednesday 01 November 2006 10:18, Dominique Lederer wrote:
> i would like to implement my own permissions on my package.
> as far as i unterstood, i would to the following steps:
> - first i create some custom permissions and roles
> - then i grant the permissions to roles.
> - after that i create some global principals, which i assign my roles.
> These principals are my groups.
> This is all done by ZCML configuration stuff in my package, the groups
> are defined as principals in /etc/principals.zcml
> is this right so far?

That's one way to do it, yes. We do almost the same, except that our groups 
live in the ZODB and are created when we create a site using the 
configurator. However, we have an ASP solution, so we need to make sure that 
if User U is in Group G in Site 1, then he is not in Group G in Site 2. You 
might not have this requirement, so doing global declarations is fine.

Having the groups in the ZODB allows you also to just set the members on the 
group. The framework does the rest. Again, this might not be desirable for 
external users.

> next steps:
> -users are located outside of ZODB (lets say a simple mysql table with
> login, password, group as attributes), so i would write a PAU
> Authenticator Plugin.


> -This plugin i would register in my sites PAU. if everything goes right,
> i can now login with users from the external database.


> - then i have to listen to IPrincipalCreated event and attach the
> group(s), depending on the "group" entry in my mysql table.


> (Do i have 
> to make a second query here or is it possible to retrieve the group
> information via the auth plugin?)

You can have that info in the principal info of the auth plugin.

> im i thinking right here? i just want to make sure i unterstood this,
> before work begins.

Yep, looks all good.

Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
Zope3-users mailing list

Reply via email to