.. my brain needs a nudge again. I need to fetch an object from the ZODB subject to security checks. This doesn't work:
result = [self.restrictedTraverse(p.getPath()) for p in proxies]
because for a path such as '/app/container/object' the user might have access to 'object' without having access to 'container'.
AFAIK restrictedTraverse(path) checks roles on every step of the path. It uses the __role__ attribute of the object.
but I don't know where to find 'permission_name'. It's the permission registered for the class at __init__ time:
context.registerClass( class_instance, permission = 'Add %s' % classname, constructors = getConstructor(module, class_instance) )
The source (App/ProductContext.py/registerClass) says: "permission -- The permission name for the constructors. If not specified, then a permission name based on the meta type will be used." I think this is used for filtering items in the Add product listbox but I may be wrong. Anyway, by the docs this is a permission for creating that object, not for accessing. Regards, Sandor