Define interface for getting full closure of a principals groups; implement in PAU

This proposal was originally made on the Zope3-dev mailing list

Status:

Author:

Gary Poster

Primary problem:

We frequently want to know the full closure of group membership. The groups attribute of zope.security.interfaces.IGroupAwarePrincipal? is a list of groups to which the principal directly belongs. The full closure--including the groups to which the principal's groups belong, for instance--must be calculated by any piece of code that needs it.

Secondary problem:

The description of zope.security.interfaces.IGroupAwarePrincipal?.groups does not sufficiently clarify that it is not a full closure.

Consideration:

zope.security.interfaces.IGroupAwarePrincipal? has been around for awhile, and probably should not be materially changed (i.e., to redefine or add an attribute).

Solution:

1) Clarify the zope.security.interfaces.IGroupAwarePrincipal?.groups description: change from "List of ids of groups the principal belongs to" to "List of ids of groups to which the principal directly belongs"

2) Add an additional interface to zope.security.interfaces interface:

    class IGroupClosureAwarePrincipal(IGroupAwarePrincipal):
        allGroups = interface.Attribute(
            'a readonly iterable of the full closure of the principal's groups.')

3) Make the principals in zope.app.authentication implement IGroupClosureAwarePrincipal?. First cut of `allGroups` will be to make it a generator.

Risks:

Some might be unhappy that allGroups is not a hook point, but a convenience: that is, it will be a full closure, not an opportunity to be clever to redefine how group membership is calculated.