Permissions / System design (zope Newbie)
Hello, I have two user groups (role student and role staff). In the following setup the method view shows Information about the XY-File stored as Properties of XY.pdf. Both roles should be allowed to view this information. _The students_must_not_be able to download XY.pdf._ My Setup: +-+-DTML-Method: view I +-Folder: data I +-File: XY.pdf In order to make data/XY.pdf/view accessible to the students they must have the rights 'view' and 'Access contents information' on XY.pdf. Which means they also can download the file, which is unwanted. Now I thought for solutions: Variant A: Replace the view method by a python script show(id) which gets the Document-Id (eg XY.pdf) as Parameter and is called on the data-folder. Then setting up a proxy for show(id), so that students can call it, although they don't have any permissions on XY.pdf: +-+-python-Script: show(id) I +-Folder: data I +-File: XY.pdf I must call data/show?id=XY.pdf to get the information about XY Disadvantages: Not really object oriented. Needs writing a new show-script and rewriting other methods in the project because calls are now going to other URLs. More difficulties if show needs additional cgi-Parameters Variant B: Setting up 2 Trees, data for the staff, public for students. Write a script that copies everything from data to public except the Files like XY.pdf, which should be 0-Byte copies, but with all properties. Disadvantages: Ugly redundancy. Costs disk-space and time for copying. What do you think about my problem? What should I do? Have I overseen something and are there better solutions? Thanks in advance. Tilo
Hi Tilo, why don't you use a property "download permission" mapped to a new permission ? You can grant the new permission only to role staff, to avoid the students changing the property themselves when accessing the view method ! Hope this helps, --peppo PS: are you storing the PDFs on the file system or in the ZooDB ? -----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Tilo Renz Sent: sabato 18 agosto 2001 17.07 To: zope@zope.org Subject: [Zope] Permissions / System design (zope Newbie) Hello, I have two user groups (role student and role staff). In the following setup the method view shows Information about the XY-File stored as Properties of XY.pdf. Both roles should be allowed to view this information. _The students_must_not_be able to download XY.pdf._ My Setup: +-+-DTML-Method: view I +-Folder: data I +-File: XY.pdf In order to make data/XY.pdf/view accessible to the students they must have the rights 'view' and 'Access contents information' on XY.pdf. Which means they also can download the file, which is unwanted. Now I thought for solutions: Variant A: Replace the view method by a python script show(id) which gets the Document-Id (eg XY.pdf) as Parameter and is called on the data-folder. Then setting up a proxy for show(id), so that students can call it, although they don't have any permissions on XY.pdf: +-+-python-Script: show(id) I +-Folder: data I +-File: XY.pdf I must call data/show?id=XY.pdf to get the information about XY Disadvantages: Not really object oriented. Needs writing a new show-script and rewriting other methods in the project because calls are now going to other URLs. More difficulties if show needs additional cgi-Parameters Variant B: Setting up 2 Trees, data for the staff, public for students. Write a script that copies everything from data to public except the Files like XY.pdf, which should be 0-Byte copies, but with all properties. Disadvantages: Ugly redundancy. Costs disk-space and time for copying. What do you think about my problem? What should I do? Have I overseen something and are there better solutions? Thanks in advance. Tilo _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi Tilo, why dont you just set your view method an appropriate proxy role? This allows users to access view while they are not able to access the object directly. HTH Tino Wildenhain --On Samstag, 18. August 2001 17:06 +0200 Tilo Renz <tilo.renz@student.uni-ulm.de> wrote:
Hello,
I have two user groups (role student and role staff). In the following setup the method view shows Information about the XY-File stored as Properties of XY.pdf. Both roles should be allowed to view this information. _The students_must_not_be able to download XY.pdf._
My Setup: +-+-DTML-Method: view I +-Folder: data I +-File: XY.pdf
In order to make data/XY.pdf/view accessible to the students they must have the rights 'view' and 'Access contents information' on XY.pdf. Which means they also can download the file, which is unwanted.
Now I thought for solutions:
Variant A: Replace the view method by a python script show(id) which gets the Document-Id (eg XY.pdf) as Parameter and is called on the data-folder. Then setting up a proxy for show(id), so that students can call it, although they don't have any permissions on XY.pdf:
+-+-python-Script: show(id) I +-Folder: data I +-File: XY.pdf
I must call data/show?id=XY.pdf to get the information about XY Disadvantages: Not really object oriented. Needs writing a new show-script and rewriting other methods in the project because calls are now going to other URLs. More difficulties if show needs additional cgi-Parameters
Variant B: Setting up 2 Trees, data for the staff, public for students. Write a script that copies everything from data to public except the Files like XY.pdf, which should be 0-Byte copies, but with all properties. Disadvantages: Ugly redundancy. Costs disk-space and time for copying.
What do you think about my problem? What should I do? Have I overseen something and are there better solutions?
Thanks in advance.
Tilo
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
I have two user groups (role student and role staff). In the following setup the method view shows Information about the XY-File stored as Properties of XY.pdf. Both roles should be allowed to view this information. _The students_must_not_be able to download XY.pdf._
Hi! There is a rather easy solution: You need a "view" method in root that displays the attributes of the PDF docs, something like: <dtml-var standard_html_header> <dtml-var id><br> <dtml-var docSize> <dtml-var standard_html_footer> The students should be able to view that method. Then create a folder in root, called "docs" or so. For this folder, you grant "Access contents information" to students, but not the "View" permission. Now you can do http://yourserver/docs/aPdfDocument.pdf/view as a student, but if you do http://yourserver/docs/aPdfDocument.pdf, you'll get an error. Joachim
Joachim Werner schrieb:
I have two user groups (role student and role staff). In the following setup the method view shows Information about the XY-File stored as Properties of XY.pdf. Both roles should be allowed to view this information. _The students_must_not_be able to download XY.pdf._
Hi!
There is a rather easy solution:
You need a "view" method in root that displays the attributes of the PDF docs, something like:
<dtml-var standard_html_header> <dtml-var id><br> <dtml-var docSize> <dtml-var standard_html_footer>
The students should be able to view that method. Then create a folder in root, called "docs" or so. For this folder, you grant "Access contents information" to students, but not the "View" permission.
Now you can do http://yourserver/docs/aPdfDocument.pdf/view as a student, but if you do http://yourserver/docs/aPdfDocument.pdf, you'll get an error.
My observation is that I need the "View" permission on the pdf to access http://yourserver/docs/aPdfDocument.pdf/view, which includes the ability to download http://yourserver/docs/aPdfDocument.pdf Tilo
participants (4)
-
Giuseppe Bonelli -
Joachim Werner -
Tilo Renz -
Tino Wildenhain