-----Original Message----- From: Alexander Staubo [mailto:alex@mop.no] Sent: Wednesday, June 09, 1999 10:26 PM To: Zope Mailing List (E-mail) Subject: [Zope] Permission mappings, Z Classes, and acquisition
Let's say I create a Z Class "Document" and define some new permission types. Then for some objects in my Z Class I create permission mappings, such as "Add Documents, Images, and Files" and "Delete objects" mapping to my permission type "Manage documents". Then I create some instances of the Z Class in the folder "Documents". I define a new global role "DocumentAdmin". I want this role to manage documents in the "Documents" folder and all subfolders.
But there's the rub. I'd like to use acquisition to enable these security settings for all documents in this hierarchy. Zope only allows giving this permission to this role for each and every specific Z Class instance, because my custom permissions, such as "Manage documents", are not available on the folder level -- they're only available on instances.
Is this a bug? Isn't the permission list supposed to be a superset of all available permission types defined in the database? Am I missing something?
I don't think this is a bug. In order for you to aquire permissions from on up high, you must aquire them from a container. If you object is a container, then it's permissions can be aquired, but if it's container (say, a straight folder) does not define permissions it wants to aquire, then it can't.
Because of this design, I guess I have to create a dummy Z Class called "DocumentFolder" which defines my custom permissions, then let the root folder be an instance of this class. Which is fine, but I didn't expect having to do this. If this is by design, I'd like to know the rationale behind it.
This is how you'll have to do it. There is no "super" set of permissions anywhere. A plain folder containing your ZClass can't know what permissions it wants because acquisition works the other way. In fact, it's a feature that you can't acquire permissions down, because that would break the Zope law of delegation and abstraction of control. Managers in upper level folders would have to deal with a growing list of mostly un-related permissions they don't care about. So if you want to define your own permissions on your own object, and you want those objects to aquire from a containing parent, that containing parent must also define the permissions your objects are interested in. In your case, this involves creating a custom container of some sort. -Michel
Oh, and this is Zope 1.11.0pr1.
-- Alexander Staubo http://www.mop.no/~alex/ "`Ford, you're turning into a penguin. Stop it.'" --Douglas Adams, _The Hitchhiker's Guide to the Galaxy_
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(For developer-specific issues, use the companion list, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )