Roles and permissions in Zope

If you're in a hurry

AUTHENTICATED_USER.has_role(role) is quite fast.
AUTHENTICATED_USER.has_permission(permission, context) less.
The more roles are granted for a given permission, the slower has_permission gets (the more roles there are for a user, the slower it gets but less dramatically).

Why

The roles in a user object is a tuple, so checking if the user has a given role is just scanning the tuple checking for the role (which is a string).

In the case of permission, at the point in the zope object tree where the permission is defined is a tuple with the roles, so for example let's say that you defined that from object tree/o1 permission 'p: foo' is granted to roles r1 and r2. In object tree/o1 you'll have a tuple: _p__foo_Permission = ('r1', 'r2'). So to check the permissions, the Zope machinery will have first to "climb the tree" of inheritance, looking for object _p_foo_Permission. It then collect all the roles, and basically check for every role if AUTHENTICATED_USER.has_role(role) until a match is found.

As we've seen that checking a role is looping through the list of roles of the user, it means basically two imbricated loops, against only one to check role.

[Should also explain role in context]

Other functions

allowed
Authent of a function