Security question: looking up constructor permission
Hi all .. .. my brain needs a nudge again. I need to fetch an object from the ZODB subject to security checks. This doesn't work: result = [self.restrictedTraverse(p.getPath()) for p in proxies] because for a path such as '/app/container/object' the user might have access to 'object' without having access to 'container'. I think this will work: user = self.REQUEST.AUTHENTICATED_USER for p in in proxies: o = p.getObject()) if user.has_permission(permission_name, o): result.append(o) but I don't know where to find 'permission_name'. It's the permission registered for the class at __init__ time: context.registerClass( class_instance, permission = 'Add %s' % classname, constructors = getConstructor(module, class_instance) ) Any hints? -- Jean Jordaan http://www.upfrontsystems.co.za
.. my brain needs a nudge again. I need to fetch an object from the ZODB subject to security checks. This doesn't work:
result = [self.restrictedTraverse(p.getPath()) for p in proxies]
because for a path such as '/app/container/object' the user might have access to 'object' without having access to 'container'.
AFAIK restrictedTraverse(path) checks roles on every step of the path. It uses the __role__ attribute of the object.
but I don't know where to find 'permission_name'. It's the permission registered for the class at __init__ time:
context.registerClass( class_instance, permission = 'Add %s' % classname, constructors = getConstructor(module, class_instance) )
The source (App/ProductContext.py/registerClass) says: "permission -- The permission name for the constructors. If not specified, then a permission name based on the meta type will be used." I think this is used for filtering items in the Add product listbox but I may be wrong. Anyway, by the docs this is a permission for creating that object, not for accessing. Regards, Sandor
I think this is used for filtering items in the Add product listbox but I may be wrong. Anyway, by the docs this is a permission for creating that object, not for accessing.
You may want to have a look at the declareObject* methods: http://zope.org/Documentation/Books/ZDG/current/Security.stx#3-45 Regards, Sandor
Hi Sandor Thanks for the reply.
AFAIK restrictedTraverse(path) checks roles on every step of the path. It uses the __role__ attribute of the object.
Yup, that's the problem. Here's what I ended up doing:: result = [] for p in self.Catalog({'meta_type': meta_type, prop_name: value}): obj = p.getObject() permission = obj.__ac_permissions__[0][0] if self.REQUEST.AUTHENTICATED_USER.has_permission(permission, obj): result.append(obj) That 'obj.__ac_permissions__[0][0]' looks dog-ugly to me. I'm sure there must be a better way.
You may want to have a look at the declareObject* methods: http://zope.org/Documentation/Books/ZDG/current/Security.stx#3-45
My objects are already protected: security.declareObjectProtected('View Customer') but this only helps when the user is browsing to the object through the web, or when I use 'restrictedTraverse' or another security- checker explicitly, as above. The 'obj.__ac_permissions__[0][0]' lookup returns the permission specified by the 'declareObjectProtected' call on the class. -- Jean Jordaan http://www.upfrontsystems.co.za /training <-- Zope/Plone training!
participants (2)
-
Jean Jordaan -
zope@netchan.cotse.net