[Zope-CMF] A very long permissions list ;-)

Shane Hathaway shane@digicool.com
Mon, 09 Apr 2001 13:57:59 -0400


Chris Withers wrote:
> Basically, as I see it, each meta_type has a list of actions associated with it.
> These are currently each assigned a permission:
> 'Add news item'
> 'Edit news item'
> ...etc...
> 
> So, you end up with n * m permissions in each system where n is the number of
> actions and m is the number of content/meta types.

That's right.  The model of mapping methods to global permission names
leads to this.

> As an observation, many of the actions can be factored out to be the same:
> 'Add x'
> 'View x'
> 'Edit x'
> 'Manage x'

Note that the CMF now uses simpler permissions: "Modify Portal Content",
"Add Portal Content", etc.

> This there any way this could be factored out at the Zope or CMF level to make
> lief easier and quicker? Has it been done already? (just in case I missed
> something...)

I'm glad you saw this.  We've struggled with this.  In fact, it's worse
than this: you often want to be able to change security based on object
state, such as allowing a user to edit a page when it's in the "private"
state but not when it's in the "published" state.  But you want this to
be a site-specific decision.  So you get (m * n * o) permissions!

Here is our plan: the configurable workflow will take over the role ->
permission -> method mappings.  There are several current views on the
specifics, but essentially the workflow will manage security.  Workflows
can manage security in more flexible ways, such as allowing access to
methods based on object state.

Questions?

Shane