how can I enforce my own Delete permission
Hi all, I defined my own permission to delete an object like so: security.declareProtected( 'Delete ZehnderRequests', 'manage_beforeDelete' ) def manage_beforeDelete(self, item, container): "just here to enforce permisson" if not self.portal_membership.getAuthenticatedMember().has_permission('Delete ZehnderRequests', self): raise BeforeDeleteException in the class definition I declare security.setPermissionDefault('Delete ZehnderRequests', ['Manager', 'Owner' ] at the end of the class definition I call InitializeClass( CMFZehnderRequest ) now my problem: every user has the permission set altough only manager should have it. what am I doing wrong here ? thanks for any typ. Robert -- mit freundlichen GrĂ¼ssen Robert Rottermann www.redCOR.ch
robert wrote at 2003-6-28 16:53 +0200:
... security.setPermissionDefault('Delete ZehnderRequests', ['Manager', 'Owner' ] ... now my problem:
every user has the permission set altough only manager should have it.
what am I doing wrong here ?
There has been a bug with "setPermissionDefault" (search the CVS log to check when it was fixed). It might (though not very likely) be a difference between a list and a tuple. At other places, a list indicates "include acquisition" while a tuple means "just these roles without acquisition". Dieter
Am Samstag, 28. Juni 2003 20:07 schrieb Dieter Maurer:
robert wrote at 2003-6-28 16:53 +0200:
... security.setPermissionDefault('Delete ZehnderRequests', ['Manager', 'Owner' ] ... now my problem:
every user has the permission set altough only manager should have it.
what am I doing wrong here ?
There has been a bug with "setPermissionDefault" (search the CVS log to check when it was fixed).
It might (though not very likely) be a difference between a list and a tuple. At other places, a list indicates "include acquisition" while a tuple means "just these roles without acquisition".
Dieter Thanks Dieter, changing to tuples did not help. In fact whatever I do, setting permissions or not, any user (with no role at all) does have the permission set. the script: u = context.acl_users.getUserById('ldf01') return u.has_permission('Delete ZehnderRequests', context['Ticket.2003-06-28.2211'])
always returns 1 any more hints ? robert
robert wrote at 2003-6-29 08:53 +0200:
... changing to tuples did not help. In fact whatever I do, setting permissions or not, any user (with no role at all) does have the permission set. the script: u = context.acl_users.getUserById('ldf01') return u.has_permission('Delete ZehnderRequests', context['Ticket.2003-06-28.2211'])
always returns 1
any more hints ?
"AccessControl.User.BasicUser.has_permission" is broken. It uses the currently authenticated user and ignores its "self". Who did implement that :-(( Please file a bug report... Use "has_role" instead: u.has_role('Delete ZehnderRequests',context['Ticket.2003-06-28.2211'])
robert
Dieter
participants (2)
-
Dieter Maurer -
robert