Zope and CMF permission nightmares
I'm building a CMF application right now. I've been in a bit of a permission quandary for a while now. Here's the problem: Sales Reps should only see their own Sales Leads. Sales Managers should only see Sales leads in their region. Various other people need to see all Sales Leads or various combinations of regions. Satisfying one of these requirements is easy. Satisfying all of them is hard (at least to me). Here are the solutions I've come up with so far. All of them are far less than elegant.
1. Put all the Sales Leads in a common folder and set the permissions on each Sales Lead object.
Why not? I don't want to try to maintain permissions on every object. If I ever need to change the permissions for a role, I'll end up having to write code to go through and change the permissions on every signle Sales Lead. Granted that it shouldn't be a big deal if I use the portal_catalog, but why should I have to do that if all the Sales Leads could aquire the correct permissions from a container?
2. Create a folder for each region and put the Sales Leads for each region in the corresponding folders. Set the correct permissions on each folder.
This seems like it will solve the problems I have with the first solution. One problem though. Not all of the Sales Leads in a particular region should have the same permissions. A Sales Rep is only supposed to see their own leads. That's ok, we'll just take away the View permission for "Members", and Only give it to "Owners" and any other roles that should be able to view all of the Sales Leads in a particular region. Bzzzt. Wrong again. If the Sales Rep doesn't have View permissions on the containing folder, the breadcrumbs for the skin won't work. There are probably other things that will break as well. Hmm... what if we create a "View Sales Leads" permission? That way Sales Reps can still have the regular View permission on the region folder, and we can restrict their access to only view Sales Leads that they own. That sounds like it will work, but then the permissions for each catalog object break. Each catalog object in the portal_catalog gets it's View permission from from the View permission of the object it represents. I don't exactly feel like subclassing and hacking on the portal_catalog. This should be easier than that.
There are other solutions that I've thought of, including leaving the Sales Leads in each members directory, but each of them seem equally complicated. Maybe I'm just trying to bend Zope's security framework in a way it was not meant to be bent. It seems like I'm going about things the wrong way, but I don't see an elegant solution to all this. Any ideas would be much appreciated.
1:55:55 PM
