Per-user authorization to folder using SiteAccess rules
Hi All, I have a zope folder that contains multiple documents. Users order a document to be created by our communications office. That office then uploads that word document (not through ZMI). I want users to have access to ONLY those documents they have ordered. And all this needs to be done programmatically and not through ZMI. My first thought was to setup a SiteAccess Rule to get the current username and see if it matches with one of their orders and the requested word document. But it seems that SiteAccessRules, and more specifically __before_publishing_traverse__ occurs prior to user authentication. The script I was starting to write always sees the 'Anonymous User' when used as an Access Rule, but when viewed through the ZMI, it is the current user. Is there another way to do this? I'm thinking that when the document is uploaded, I set the owner to be the user that ordered it. Then I can set the permissions in this folder for View: ('Manager','Owner')? Any thoughts/better ways to do this? Thanks! Andy
Andy Altepeter wrote at 2004-5-7 10:59 -0500:
I have a zope folder that contains multiple documents. Users order a document to be created by our communications office. That office then uploads that word document (not through ZMI). I want users to have access to ONLY those documents they have ordered. And all this needs to be done programmatically and not through ZMI. ... Is there another way to do this?
Yes. Protect your documents by a permission granted only to priviledge roles. This will prevent normal users to access them directly. Provide an access service though a PythonScript. You can use the "sub_traversal" feature of "PythonScripts" to do this easily. Give this (or these) scripts a proxy role (see Zope book, for details) such that they have the necessary priviledge to access the documents. -- Dieter
On Fri, 2004-05-07 at 13:29, Dieter Maurer wrote:
Andy Altepeter wrote at 2004-5-7 10:59 -0500:
I have a zope folder that contains multiple documents. Users order a document to be created by our communications office. That office then uploads that word document (not through ZMI). I want users to have access to ONLY those documents they have ordered. And all this needs to be done programmatically and not through ZMI. ... Is there another way to do this?
Yes.
Protect your documents by a permission granted only to priviledge roles. This will prevent normal users to access them directly.
Is changing the 'View' permission on the container to: (Manager,<local priv role>) sufficient?
Provide an access service though a PythonScript. You can use the "sub_traversal" feature of "PythonScripts" to do this easily. Give this (or these) scripts a proxy role (see Zope book, for details) such that they have the necessary priviledge to access the documents.
Wow. That is such a slick pattern, and SO easy to setup. Many Thanks Dieter! Andy
Andy Altepeter wrote at 2004-5-7 15:56 -0500:
...
Protect your documents by a permission granted only to priviledge roles. This will prevent normal users to access them directly.
Is changing the 'View' permission on the container to: (Manager,<local priv role>) sufficient?
Probably. However, you might also want to restrict "Access contents information". Usually, "Access contents information" is used to protect access to the object itself and some of its elementary methods such as "getId", "title", ... -- Dieter
You can use the "sub_traversal" feature of "PythonScripts" to do this easily. Give this (or these) scripts a proxy role (see Zope book, for details) such that they have the necessary priviledge to access the documents.
Dieter, what is the "sub_traversal" feature ?? Robert
robert rottermann wrote at 2004-5-8 08:31 +0200:
... what is the
"sub_traversal" feature ??
That was quoted from "memory" which sometimes fails... I meant the "traverse_subpath" you find in the "Bindings" tab of PythonScripts. Almost surely, it is documented in the Zope Book. -- Dieter
participants (3)
-
Andy Altepeter -
Dieter Maurer -
robert rottermann