Jürgen Herrmann wrote:
[ Dieter Maurer wrote:]

Jürgen Herrmann wrote at 2005-10-19 15:34 +0200:

i use the SimpleUserFolder product and derive a MyUser class from it's
included User class, which in turn inherits from BasicUser.

the SimpleUserFolder's User class does neither reimplement
getRolesInContext() nor allowed(). i looked at the source of
BasicUser (lib/python/AccessControl/User.py) and found out that
allowed() does not use the information provided by getRolesInContext().
i found this comment:
      # Still have not found a match, so check local roles. We do
      # this manually rather than call getRolesInContext so that
      # we can incur only the overhead required to find a match.

so if i reimplement getRolesInContext() in MyUser, i'll probably also
have to reimplement allowed() to reflect the possibly added local roles,
right?

Yes.


...
ps: looking at the code of allowed() i doubt that the "manual" checking
of local roles will speed this method up a lot: local roles seem to be
a seldomly used feature, the improvement in speed would only occur if
the object in question was protected by a local role

Be careful about terminology! Objects are not protected by roles
(but by permissions).

k, i'll take care in the future :)

You gain something if a near local role grants the necessary
permission.
The "Owner" local role tends to be very near.

Thus, you may gain, when usually owners try to execute protected
methods.

sounds reasonable.

(and not a normal
one). is this enough to justify duplicated code with all of it's
disadvantages)?

Nobody prevents you to implement your "allowed" by means
of "getRolesInContext".

--
Dieter


ok, it just felt a little wrong to reimplement allowed... but if thats
the way, fine by me!

to dig a little deeper into zope's security machinery, does anybody
know where to look at (in the source) f.ex. to find the place where
the owner role is assigned to a user?

That's done by OFS.ObjectManager._setObject.

Florent

--
Florent Guillaume, Nuxeo (Paris, France)   CTO, Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   [EMAIL PROTECTED]
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to