[Zope-Coders] please review LocalRolesRevamp

Shane Hathaway shane@zope.com
Wed, 10 Oct 2001 11:04:00 -0400 

Martijn Faassen wrote:

> Shane Hathaway wrote:
> 
>>On Wed, 10 Oct 2001, Martijn Faassen wrote:
>>
>>
>>>>Will you provide a search form that filters by access?  You may need it.
>>>>
>>>I don't understand what you mean. Filter what by whose access?
>>>
>>A lot of Zope sites need to filter the results of a catalog search
>>according to the roles available to the user.  I don't know whether that's
>>the case for you.
>>
> 
> Yes, I think this will eventually be necessary in some way.


It's a lot more user-friendly.  One of the things people always disliked 
about search engines is the tendency to return outdated results.  (Until 
Google's cache, anyway ;-) )  Returning results the user is not allowed 
to see is probably even worse.

> 
> [overriding User] 
> 
>>You could override getRolesInContext(), I think.
>>
> 
> An optimization was introduced in Zope 2.3 (I think) that makes this impossible.
> getRolesInContext() is I think not used by the core anymore.


Well, maybe we can undo that fix. :-)


> 
> [snip]
> 
> But you'd need to in order to accomplish some use cases. What I'd like to
> compute is user attributes to local roles. This computation is place
> dependent; in place A in the tree I'd like user attribute 'employee' to
> have, say, 'Manager' rights, but in place B I'd like the same user
> attribute to only have 'Authenticated' rights. It seems hard to avoid
> actually going to the place and asking what their mapping is in this
> scenario.


Well, before I even joined with Zope Corp. I wrote a product called 
ACLManager.  It was designed to deal with exactly this problem.  I was 
working at a major educational institution, putting courses on the web. 
  I was trying to move all their Internet offerrings to Zope.  There 
were over 100 courses already on the web, each class had 30 or so 
students, and students added or dropped courses every day.

I didn't feel that Zope's local role management was up to the task.  So 
what ACLManager is supposed to do is let you define named workgroups and 
essentially associate access rules for the named workgroups.  A 
workgroup name could be, for example, "CIS1100", and does not usually 
correspond with the name of a folder.  Then in the /courses/cis1100 
folder you create a "satellite" user folder and tell it to draw users 
from the "CIS1100" workgroup.

Having the workgroup name gives you a lot of advantages IMHO.  If you 
move or rename /courses/cis1100, the user roles continue to work.  You 
get central management *and* distributed management.  For web courses 
there is another great advantage: while you're running a class you can 
be creating a new version of the class for next semester.  Just before 
the next semester you set the workgroup of your new course.

ACLManager is still available for download, though unfortunately I 
didn't know the internals of Zope as well as I do now, so it doesn't 
work as well as it could.  For example, I would be more bold now ;-) and 
I wouldn't use satellite user folders, instead opting to change the way 
local roles are computed.

> Per user you'd still have to go off asking dozens if not hundreds of
> objects for this information, though, in large sites where this is
> used a lot. You could employ some caching here though, and it'd still
> be less expensive than filtering cataloged objects each time (which can
> easily run into multiple hundreds).  


That depends on the complexity of your security policy.  If you keep 
your policy simple (as you should ;-) ), the expressions and the number 
of them you have to use to compute a given user's roles should also be 
simple.

>>Our difference of opinion is, AFAICT, rooted in different perceptions of
>>the need to filter catalog results based on access.  Obviously you don't
>>have that goal. :-)
>>
> 
> Sure, but that's why we're talking, right? I have my goal, you have your
> goal, and we're trying to figure out some approach that would make us
> both moderately happy. What do you think about the approach I listed above?


I'm not quite sure what you suggested.  Maybe my head is clouded by 
reminiscing over my early Zope days. :-)

Shane