Hmmm. I see. So you're looking to create a role per-instance that has *only* that rights to that permission and execute the method by proxying as that role. Taking a look at the source generated by the "Define Permissions" tab of the Zope management interface and other places: - There exists a method called "manage_defined_roles" which I assume to be present for all objects. You can add this to your *Class_add method in the zclass that creates the instance. It looks like you call it like this (within the method you're trying to add a role to -- untested --): <dtml-call "manage_defined_roles?role=rolename"> - There exists another method called "manage_role" which adds permissions to your role and accepts arguments something like this (again, untested): <dtml-call "manage_role?role_to_manage=rolename&permissions:list=permissionname> - And finally, there exists a method, "manage_proxy" that will allow you to assign a proxy role to a method, it looks like you call it something like this: <dtml-call "manage_proxy?roles:list=role"> Since you know that at least three roles exist from the root of any default Zope 2.x installation (anonymous, manager, owner), however, personally, I might try not to create a new role for that method, unless you're very, very concerned about security and you'd like to limit the role to that action only. I'd probably just give the permission to the manager role and proxy as manager. You're probably smarter, I'm just lazy :). HTH, Chris -----Original Message----- From: bruce@perens.com To: bruce@perens.com; chris@iqgroup.com; zope@zope.org Sent: 10/10/99 8:26 PM Subject: RE: [Zope] list of naive questions From: Chris McDonough <chris@iqgroup.com>
Why do you want to export a role with your product?
Because the proxy method needs only _one_ permission, and I would set that permission in the role, and not hassle the administrator with the need to create it. All administrators who use the product will have to do the exact same thing - create a role with one permission, which is a pretty good definition of when software should do something for you. I have an object that users are allowed to create, but not modify afterward. But the usual method of creating objects in Zope is to create them and then modify their properties. Thus, there has to be a "constructor" method that can be called by unprivileged users and has permission to modify the properties of an object it's just created. Thanks Bruce