wchr writes:
thx - quite obvious. so - am i wrong if i consider that for somehow inconsistent? the zope-security-model allows me to delegate add- and edit-permissions depending on meta_type, but concerning "Delete Objects" i´m only able to either disallow it or generally allow it for a certain context/role... That's what the standard Zope permission system gives you.
It's an artifact of the fact that you have type specific constructors but a generic (type independent) object deletion method. You can build your own (type specific) deletion method and protect it in any way you like. It would make the object deletion security checks you like and then call the containers "manage_deleteObject" to delete the object. It may need a "proxy role" to overpower the restrictions you will probably impose on "manage_deleteObject". Dieter