John Hunter wrote:
"John" == John Hunter <jdhunter@ace.bsd.uchicago.edu> writes:
John> I have a class that inherits from RoleManager (via Folder). John> It defined additional roles, including 'Administrator'. I John> would like the Administrator to be able to view management John> screens and create objects of certain types, but not be able John> to delete or rename objects of certain types.
A followup - I've learned a bit more and realized I made a mistake in the code I posted so I want to focus my question.
Goal: allow authenticated users with Role 'Administrator' or 'Manager' to access the manage_main screen of my instance, but disallow non-authenticated users or users with other roles.
I've learned that ClassSecurityInfo supersedes __ac_permissions__, so I'm focusing my energies here
In the example below, RestrictedFolder derives from Folder
Example 1: I can access manage_main w/o no passwd authentication. I want to be prompted for passwd and given access if user has role Administrator or Manager
class Workflow(RestrictedFolder): """ The base folder """ meta_type="Workflow"
__ac_roles__=('Manager', 'Administrator', 'Researcher', 'Reviewer')
#permission = 'View management screens' permission = 'View' roles = ('Manager', 'Administrator') security = ClassSecurityInfo() security.setDefaultAccess('deny')
def __init__(self, id=None): # snip pass
security.setPermissionDefault(permission, roles) security.declareProtected(permission, 'manage_main') def manage_main(self, *args, **kwargs): 'does this need to be overridden to have security apply to it?' return RestrictedFolder.manage_main(self, *args, **kwargs) InitializeClass(Workflow)
Example 2: a user with Role Administrator cannot access manage_main, the following error is produced (passwd is correct for this user)
You are not authorized to access this resource.
Username and password are not correct. (Also, an error occurred while attempting to render the standard error message.)
In this example, the code is the same as above, but I've reversed the permission comment. That is, permission = 'View management screens'
I am calling InitializeClass(RestrictedFolder). I am refreshing my product and restarting my browser with each test. Changing the default from 'deny' to 'allow' produces almost the same result (the only difference is in example 2 I don't get the part about the standard error message_
I'm clearly missing something fundamental. What?
You got the first part right and that is making security declarations on your class, but you still have to specify security on the folder instance by going to the security tab and giving 'Administrator' the required permissions or writing code that does this automatically when you create the folder. I think you are misunderstanding what __ac_roles__ mean - this only provides pre-defined role names. -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za