On Thu, 11 Nov 1999, Otto Hammersmith wrote:
It seems the only way to securely handle all this is to roll your own folder that can't hold Z SQL Methods, or anything else that users don't really need. (Incidentally, if I did this with Z Classes, would there be any performance implications?)
Write manage_safeaccessForm and manage_safeaccess DTML methods. Give manage_safeaccess the manager proxy role. manage_safeacessForm is simply a form that allows you to do a subset of the normal security form. manage_safeaccess sanitizes the request and passes the results through to the relevant change-permissions method. This way a user with access to manage_safeaccessForm and manage_safeaccess can alter whatever subset of permissions you define in a folder, and all subfolders through aquisition. But not individual objects.
Would it be possible with Z Classes to modify either the constructor or the addForm to restrict who can create certain objects? Would it be possible in Python products? That seems to be the appropriate place to control what objects can be created by whom.
You can check what roles the current AUTHENTICATED_USER has, and raise an exception if they should be able to create this object. You would need to call: folder.get_local_roles_for_userid(AUTHENTICATED_USER.getUserName()) Assuming folder is the folder your ZClass or Python product is being added to. ___ // Zen (alias Stuart Bishop) Work: zen@cs.rmit.edu.au // E N Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au //__ Computer Science, RMIT WWW: http://www.cs.rmit.edu.au/~zen