"John" == John Hunter <jdhunter@ace.bsd.uchicago.edu> writes:
John> I have a class that inherits from RoleManager (via Folder). John> It defined additional roles, including 'Administrator'. I John> would like the Administrator to be able to view management John> screens and create objects of certain types, but not be able John> to delete or rename objects of certain types. A followup - I've learned a bit more and realized I made a mistake in the code I posted so I want to focus my question. Goal: allow authenticated users with Role 'Administrator' or 'Manager' to access the manage_main screen of my instance, but disallow non-authenticated users or users with other roles. I've learned that ClassSecurityInfo supersedes __ac_permissions__, so I'm focusing my energies here In the example below, RestrictedFolder derives from Folder Example 1: I can access manage_main w/o no passwd authentication. I want to be prompted for passwd and given access if user has role Administrator or Manager class Workflow(RestrictedFolder): """ The base folder """ meta_type="Workflow" __ac_roles__=('Manager', 'Administrator', 'Researcher', 'Reviewer') #permission = 'View management screens' permission = 'View' roles = ('Manager', 'Administrator') security = ClassSecurityInfo() security.setDefaultAccess('deny') def __init__(self, id=None): # snip pass security.setPermissionDefault(permission, roles) security.declareProtected(permission, 'manage_main') def manage_main(self, *args, **kwargs): 'does this need to be overridden to have security apply to it?' return RestrictedFolder.manage_main(self, *args, **kwargs) InitializeClass(Workflow) Example 2: a user with Role Administrator cannot access manage_main, the following error is produced (passwd is correct for this user) You are not authorized to access this resource. Username and password are not correct. (Also, an error occurred while attempting to render the standard error message.) In this example, the code is the same as above, but I've reversed the permission comment. That is, permission = 'View management screens' I am calling InitializeClass(RestrictedFolder). I am refreshing my product and restarting my browser with each test. Changing the default from 'deny' to 'allow' produces almost the same result (the only difference is in example 2 I don't get the part about the standard error message_ I'm clearly missing something fundamental. What? I've read and reread the Security sections of the ZDG and Zope Book, to no avail. Thanks! John Hunter zope-2.7