Ok. Thanx. But why is it like this? I imagine that deleting an object in a folder where I do not have permission to delete every object, or the folder itself, is a quite common task. Using the manage_delObjects and a proxy really feels like I'm fighting the zope security instead of getting support by it. Or am I thinking wrong in the first place? What I really want to do is letting users answer a question object and the answers should be stored somewhere. A user must later be able to change or remove his answer, but of course not the answers of any other user. I place all answers objects belonging to a certain question in one folder, and I have the previously mentioned situation. I know it is not that much of a problem to use a proxy, but if I can change my design in some way so can avoid the proxy I imagine that would be better. /Erik On 4/18/06, Andreas Jung <lists@zopyx.com> wrote:
--On 18. April 2006 14:15:48 +0200 Erik Billing <erik@ekhagen.org> wrote:
I want to create a python script that deletes a specific file from a folder. For now, the user who is calling the script does not have the Delete objects permission on the folder, only the file which he should be able to delete. I have previously used the delObjects method on the folder to remove the file, but this requires the Delete obejcts permission on the folder itself.
folder.manage_delObjects() is the only API method you should use. If your script needs additional permissions you must give the script the proxy role Manager.
-aj
-- ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany Web: www.zopyx.com - Email: info@zopyx.com - Phone +49 - 7071 - 793376 E-Publishing, Python, Zope & Plone development, Consulting
--On 18. April 2006 17:53:32 +0200 Erik Billing <erik@ekhagen.org> wrote:
Ok. Thanx. But why is it like this? I imagine that deleting an object in a folder where I do not have permission to delete every object, or the folder itself, is a quite common task. Using the manage_delObjects and a proxy really feels like I'm fighting the zope security instead of getting support by it.
I am not getting your point. manage_delObjects() *is* the recommended solution. Everyone uses it, you should use it. Using scripts with proxy role Manger is daily practice: I don't see why this approach should not fit your usecase?! If it does not, explain... -aj -- ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany Web: www.zopyx.com - Email: info@zopyx.com - Phone +49 - 7071 - 793376 E-Publishing, Python, Zope & Plone development, Consulting
Erik Billing escribió:
Ok. Thanx. But why is it like this? I imagine that deleting an object in a folder where I do not have permission to delete every object, or the folder itself, is a quite common task. Using the manage_delObjects and a proxy really feels like I'm fighting the zope security instead of getting support by it.
Proxy roles are provided/supported by zope security machinery, where's the fight?
Or am I thinking wrong in the first place? What I really want to do is letting users answer a question object and the answers should be stored somewhere. A user must later be able to change or remove his answer, but of course not the answers of any other user. I place all answers objects belonging to a certain question in one folder, and I have the previously mentioned situation.
The only problem with proxy role (AFAICS) is users being able to delete answers from other users. In your current design the script with proxy role could (should) check if the current user is allowed to delete an answer (looking at some attribute). I don't see a big problem.
I know it is not that much of a problem to use a proxy, but if I can change my design in some way so can avoid the proxy I imagine that would be better.
Well, store all answers from a user in the same folder. Sl.
Ok. If proxy is the way to do it, then it is so, even thaw I still think it's a little backwords. But you have a good point Stefan, of course objects may be viewed as an property of the parent container, and the permissions follows from that. And of course it's not much of a problem to do the security check inside the python script, the question was ment as to ask if this was the right way, which you clearly answered :P Thank you all for your comments. /Erik On 4/18/06, Alexis Roda <alexis.roda.villalonga@gmail.com> wrote:
Erik Billing escribió:
Ok. Thanx. But why is it like this? I imagine that deleting an object in a folder where I do not have permission to delete every object, or the folder itself, is a quite common task. Using the manage_delObjects and a proxy really feels like I'm fighting the zope security instead of getting support by it.
Proxy roles are provided/supported by zope security machinery, where's the fight?
Or am I thinking wrong in the first place? What I really want to do is letting users answer a question object and the answers should be stored somewhere. A user must later be able to change or remove his answer, but of course not the answers of any other user. I place all answers objects belonging to a certain question in one folder, and I have the previously mentioned situation.
The only problem with proxy role (AFAICS) is users being able to delete answers from other users. In your current design the script with proxy role could (should) check if the current user is allowed to delete an answer (looking at some attribute). I don't see a big problem.
I know it is not that much of a problem to use a proxy, but if I can change my design in some way so can avoid the proxy I imagine that would be better.
Well, store all answers from a user in the same folder.
Sl.
participants (3)
-
Alexis Roda -
Andreas Jung -
Erik Billing