Richard Jennings wrote at 2005-1-29 06:55 +0100:

A python product I am developing needs a 'user-private' folderish object... ... If I have to do this, my first strategy would be to as follows: Use a __before_publishing_traverse__ hook on my root object to create a session data object.

Use its onAdd method to create the user-private object in the root object.

Seems to be a very indirect way. Why do you not create the object when you create the user? Or use the session object directly?

Use its onDelete method to destroy the user-private object.

Note that this is highly unreliable. Your session may go away without the "onDelete" method being called (e.g. when you shut down your Zope server).

I am assuming that this will cause the owner of the 'user-private' object to be the person who logged in and that setting its __ac_roles__ as 'Owner' will limit access to the object to just the session owner. (seems a bit complicated, though!)

"__ac_roles__" has a different purpose (it defines new roles created at this object). You must change the permission role mapping. You can use the "manage_permission" method for this (source somewhere in the "AccessControl" package).

My question to the Zope cognoscenti is: Is this a viable strategy?

will not work.

Is there a better solution?

Apparently, you want the lifetime of the "user-private object" be bound to the lifetime of the session. In this case, I would simply put it into the session. This is as safe (and private) as the session itself (which is not completely but rather safe). -- Dieter