Group plugins

Group plugins return the identifiers for the groups a principal is a member of. Since a principal can be either a user or a group this means that PAS can support nested group members. The default PAS configuration does not support this though.

Like other PAS interfaces, the IGroupsPlugin interface is simple and only specifies a single method:

def getGroupsForPrincipal(principal, request=None):
    """ principal -> ( group_1, ... group_N )
    o Return a sequence of group names to which the principal
      (either a user or another group) belongs.
    o May assign groups based on values in the REQUEST object, if present
    """

Here is a simple example:

def getGroupsForPrincipal(self, principal, request=None):
    # Manager can not be itself
    if principal == "Manager":
        return ()

    # Only act on the current user
    if getSecurityManager().getUser().getId() != principal:
        return ()

    # Only act if the request originates from the local host
    if request is not None:
        ip=request.get("HTTP_X_FORWARDED_FOR", request.get("REMOTE_ADDR", ""))
        if ip != "127.0.0.1":
            return ()

    return ("Manager",)

This puts the current user in the Manager group if the site is being accessed from the Zope server itself.