Martin Aspeli wrote:
So, here is what I'd like to propose, ideally for Zope 2.12:
1) Use an event handler to ensure that any <permission /> declared in ZCML actually creates a valid, Zope 2 permission. I have working code for this here which we could put in Products.Five with ease.
+1
2) Emit a warning instead of an error in Five's handler for the <class /> directive when set_attributes or set_schema are used.
+1
3) Change the Permission class in AccessControl so that it tries to look up an IPermission utility and use the title of that utility as the permission name, falling back on the current behaviour of using the passed permission name directly.
-1 I think we should start advertising the zope.security API for this instead. For example: from zope.security import checkPermission checkPermission('zope2.Private', context) This works by looking up the current security interaction from a thread local, which in Five's case is a FiveSecurityPolicy. This policy delegates to the checkPermission function found in Products.Five.security which does exactly what you want: if (permission in ('zope.Public', 'zope2.Public') or permission is None or permission is CheckerPublic): return True if isinstance(permission, basestring): permission = queryUtility(IPermission, unicode(permission)) if permission is None: return False if getSecurityManager().checkPermission(permission.title, object): return True return False