[Zope] OOP Suggestion: allow local roles to restrict and not only extend user's roles.

Philipp Robbel philipp.robbel@epost.de
Fri, 31 Aug 2001 22:25:02 +0200


Dear everyone,

I'm badly stuck with my problem and while I think that I'm using valid OOP
design I don't think that Zope currently supports this.

Here's a description of my current design:
In our company there are different research groups whom I gave their own
subfolders.
/databases
/bioinformatics
etc.

Within each group there are pseudo-managers defined (i.e. they have most of
the full manager role, i.e. can create/delete documents etc., so I'll use
"manager" as role when describing my problem.)

I want all groups to share a common set of both DTML methods and SQL
functions, so I placed them in the root folder. In the root folder there is
for example a new management function that - when called like
/databases/show_management_screen - will show the management options for the
group specified by the containing folder. It will also allow database
inserts depending on the containing folder. I do that in my inherited
"show_management_screen" dtml method by using statements like:
    <dtml-call "sqlAddProjects(ResearchGroupName = id, ...)">
which will do:
    INSERT INTO table (...) VALUES(...) WHERE ResearchGroupName=<dtml-sqlvar
id type=nb>

It's critical that a manager from /databases is *not* allowed to access the
sql method in the /bioinformatics group, else he would be able to insert
values under a fake GroupID by calling the method like
/bioinformatics/sqlAddProjects directly.
Another thing that's critical is that no researcher from any group nor the
anonymous user has direct access to this Database method: that's why I not
only placed them in the root folder but also restricted the "Access contents
information", "Use Database Methods" and "View" permission of that
sqlAddProjects Method to Managers.

Problem which is solved by that: no anonymous user can access that method.
Problem that comes up: no Researcher (i.e. subfolder manager) can access
that method either, because root manager is, of course, != subfolder
manager.

Possible solution for inherited DTML methods:
a) Disable that "Access contents information", "Use DB Methods" and "View"
permissions protection in root folder.
b) Check for permissions in the method itself.
   <dtml-if "AuthenticatedUser.has_role(this(), ['Manager'])">
as outlined in http://www.zope.org/Members/tseaver/user_settable_passwords.
It's supposed to check, whether the accessing user has the Manager Role in
the context the DTML method is called on.

But this fails for SQL Methods and I'm pretty confident that there should be
a simpler way in Zope itself.

My idea to fully support this OOP design was the following:
Enable local roles not only to extend the user's roles but also restrict
them.

I.e. in my case I would define all researchers from the various groups in
the root acl_users folder as Managers. But - at the same time - change the
local roles of the root folder to _not_ give the researchers the Manager
role in the root folder (understandable?)
In the /databases folder, however, I would give the database-researcher back
his "Manager" role, via local roles.

This would solve my whole problem:
Step 1: restrict again all critical dtml and sql methods in the root folder
to managers (as already outlined above: "...but also restricted the "Access
contents information", "Use Database Methods" and "View" permission of that
sqlAddProjects Method to Managers").

Step 2: If the database researcher calls the "show_management_screen" dtml
method like /databases/show_management_screen it would work because
a) he is defined as Manager in the root folder (but local roles restrict
them there to be a "real" Manager)
b) he has the proper local roles set in his /databases folder so that there
he finally is a "real" Manager.

He couldn't, however, access the function like /show_management_screen (i.e.
in the root folder) or like /bioinformatics/show_management_screen: both
would be restricted by the local rules.

Shouldn't that be valid OOP design?

Please let me know what you think or - if I oversaw another solution to my
problem - please let me know how to solve it :-)

My original problem was outlined in my previous post at
   http://groups.yahoo.com/group/zope/message/70099
where I unfortunately didn't get any replies.

Thanks in advance,
Philipp Robbel