Thank you!! You got me started down the right road. I eneded up putting my check in the "__before_publishing_traverse__" method of my "Folder" and it seems to be doing exactly what I had hoped. Steve Matt Hamilton wrote:

...

Okay, here goes...

I have created a Zope Product that extends a Zope Folder object and I want to add a non-traditional security check before allowing users to "View" stuff in the "folder". For reasons that are too complicated to explain here, I can't use Zope roles and permissions for this check (in fact, this check should be done in addition to Zope's existing security mechanism checks). What I want to do is verify that a particular variable in the "Session" matches a specific property of the "folder". If it does not match, I want to raise an unauthorized error.

Is this kind of thing possible? Any help will be appreciated.

Steve, Yes this kind of thing is possible. The main question is what exactly you want to protect. ie. is it a method call on that object (e.g. objectValues).

The general code would be something like:

from zExceptions import Unauthorized data = REQUEST.SESSION['my_session_var'] if data != self.myproperty: raise Unauthorized('<strong>You are not authorized to access this resource.</strong>')

The more difficult question is where exactly in your code to put this. If you want to protect the access of object within the folder, then I think you will need to put it in __getitem__ somewhere. However I do remember talking to someone else about this and one of the methods like that overrides the security, or swallows the exception or something. You may have to play areound with it, or try putting it in __bobo_traverse__

-Matt