I have to write an Authenticator Plugin for my application. My login/pass data
is stored in a relational database, which I access via zsqlalchemy.
I have several objects, which are secured by certain permissions. Moreover I
granted permissions to several roles, which I also defined.
My problem is how to give users, which are stored in my database, the correct
role (and therefore permission). If I understand it right, an Authenticator
Plugin returns a principal, which represents a user in the database, but how
can I map the principal to a specific role?
Are principals mapped one to one from users to principals? Or should I perhaps
map many users to one principal?
What I further don't understand is if and why authenticator plugins are called
when credentials are correctly retrieved via e.g. the
SessionCredentialsPlugin or how I can prevent it:
When the user logs in, there are no credentials and he has to supply them via
the login form. Then he is authenticated by the AuthenticatorPlugin (e.g. the
database is queried for user/pass), and the credentials are stored in the
However, for subsequent requests, I think it makes no sense to query the
database again, as the user has already authenticated - or am I getting
GPG key ID: 299893C7 (on keyservers)
FP: 0124 2584 8809 EF2A DBF9 4902 64B4 D16B 2998 93C7
Zope3-users mailing list