Thanks Lennart! Proxy roles do sound like the answer, but I cannot get them working. When I restrict my private script so that only Managers have View permissions and give my public script Manager proxy roles, I am still prompted for a login box when I try to view the public script. When I cancel, I get the following error: Error Type: Unauthorized Error Value: You are not allowed to access 'meta_type' in this context This is different from the standard "You are not authorized to access this resource. No Authorization header found." error which I get when I try to access the private script directly, but conveys little to me. What does it mean and how do I fix it? On 2/11/06, Lennart Regebro <regebro@gmail.com> wrote:
On 2/11/06, Michael Shulman <shulman@mathcamp.org> wrote:
Is there a way in Zope to restrict permissions for direct access only (i.e. calling an object through the web) but still allow indirect access (i.e. executing an object that was called by another object that was called through the web)?
Yes. If that "other object" is disk-based python, it is most likely able to do it already. If it is a python-script, you can set it up to have a proxy role. That way your auxiliary scripts can all require manager roles, and you can give the scripts that need to call them the Manager proxy-role
Feel free to tell me that I am misunderstanding the way security works, or is supposed to work, in Zope, or that if this is something I need to do I am designing my site incorrectly from the point of view of Zope security (and if so, what is the correct way to design it?).
No you seem to have got it. Although the next time you do something that complex you might want to look into making a disk-based prodct instead. It's often easier for complex features.
-- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/