[Zope-CMF] allowedUsersAndRoles

Florent Guillaume fg at nuxeo.com
Tue Feb 22 06:25:22 EST 2005


> I understand CMF uses allowedUsersAndRoles to be able to ensure that only
> content that a member is allowed to see displays in searches.
> 
> The problem we're having is that local role asssignment near the root of
> our content takes ages, as CMF reindexes all the security information.
> We're already using QueueCatalog, so I was considering putting
> allowedRolesAndUsers in as a deferred index field.
> 
> I understand the effect of this would be that items might show
> inappropriately on search results for a minute until we process our queue,
> but an unauthorised member would be blocked when they clicked on the
> content.
> 
> Would there be any other effects?

No, allowedRolesAndUsers is only used by the catalog search, and the
items themselves still have their own security protection. Note though
that catalog search is used by various things like workflow worklists or
Topics or anything your application could want to do.

So it's a feasible strategy if it's ok to get unaccessible items from
time to time, and miss some newly accessible ones.

For search results page, you can even easily post-filter to remove
unaccessible results, if it's not too costly for you.

BTW if you do many local roles assignment near the root, you might want
to look at a groups management solution, it doesn't need any reindexing
at all.

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)   CTO, Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com


More information about the Zope-CMF mailing list