[Zope-CMF] A very long permissions list ;-)

[Chris Withers]

Shane Hathaway wrote:
> 
> > As an observation, many of the actions can be factored out to be the same:
> > 'Add x'
> > 'View x'
> > 'Edit x'
> > 'Manage x'
> 
> Note that the CMF now uses simpler permissions: "Modify Portal Content",
> "Add Portal Content", etc.

Yes, but as you point out below, this breaks down when I want someoen to be able
to edit documents, but not news items.

> I'm glad you saw this.  We've struggled with this.  In fact, it's worse
> than this: you often want to be able to change security based on object
> state, such as allowing a user to edit a page when it's in the "private"
> state but not when it's in the "published" state.  But you want this to
> be a site-specific decision.  So you get (m * n * o) permissions!

Well, to get the full dimensions, you probably want:

content type * content state * action * location * owner

...and I'm sure it could be made even worse with more flexibility ;-)

> Here is our plan: the configurable workflow will take over the role ->
> permission -> method mappings.  There are several current views on the
> specifics, but essentially the workflow will manage security.  Workflows
> can manage security in more flexible ways, such as allowing access to
> methods based on object state.

How will they interact with the security machinery and normal Zope permissions?

Also, where can I find out more about this workflow tool? I go to the
portal_workflow tool's ZMI in my portal and all I get is Undo, Ownership and
Security tabs. 

It'd be great if stuff happened declaratively (if you see what I mean) rather
than having to programmatically check whether you can do something by consulting
the workflow tool all the time.

Am I making any sense or just writing unintelligable rubbish?

cheers,

Chris (tired, excuse typos and misnuderstandings ;-)