Group plugins return the identifiers for the groups a principal is a member of. Since a principal can be either a user or a group this means that PAS can support nested group members. The default PAS configuration does not support this though.
Like other PAS interfaces, the
interface is simple and only specifies a single method:
def getGroupsForPrincipal(principal, request=None): """ principal -> ( group_1, ... group_N ) o Return a sequence of group names to which the principal (either a user or another group) belongs. o May assign groups based on values in the REQUEST object, if present """
Here is a simple example:
def getGroupsForPrincipal(self, principal, request=None): # Manager can not be itself if principal == "Manager": return () # Only act on the current user if getSecurityManager().getUser().getId() != principal: return () # Only act if the request originates from the local host if request is not None: ip=request.get("HTTP_X_FORWARDED_FOR", request.get("REMOTE_ADDR", "")) if ip != "127.0.0.1": return () return ("Manager",)
This puts the current user in the Manager group if the site is being accessed from the Zope server itself.