My confusion comes from how some permissions are grouped. For instance if I want an author to be able to add new folders I can't just give them add folders permission I have to give them add folder and manage properties. The problem is that manage properties enables access to other actions that are outside the scope of an author i.e. changing user roles within folders and managing syndication. Is there another way to allow a user to add a folder without needing to give them manage properties permissions. It would be nice to have a document listing the permissions and EXACTLY what they do and how they interrelate if only just for the base ZOPE and CMF products.
From: Dylan Reinhardt <zope@dylanreinhardt.com> Reply-To: zope@dylanreinhardt.com To: Michael Havard <nhavar@hotmail.com> CC: zope@zope.org Subject: Re: [Zope] New permissions Date: 04 Apr 2003 08:51:48 -0800
On Fri, 2003-04-04 at 07:41, Michael Havard wrote:
I can't seem to find an example of adding new/custom permissions to a Zope site. Maybe there's another way.
If you're saying what I think you are, you're talking about something that needs to be defined in the product's source code. You *could* always subclass/modify the code for your built-in products, but I wouldn't advise it without a great deal of analysis. The kinds of roles and considerations you describe are fairly typical for Zope and I would venture that the existing permissions are probably sufficient.
You've got complex enough requirements here that a simple answer won't do. I'd suggest checking out the newest version of the documentation and come back to the list with any finer-grained challenges you run into. You may want to pay particular attention to the section on Security Policy Acquisition, as I suspect this may be where some of your answers lie.
http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/Security.stx
HTH,
Dylan
_________________________________________________________________ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
On Fri, 2003-04-04 at 09:04, Michael Havard wrote:
Is there another way to allow a user to add a folder without needing to give them manage properties permissions.
Here's a general-purpose technique: 1. Create a role called AddFolder 2. Give AddFolder the necessary permissions to create a folder 3. Create an add_folder method and give it an AddFolder proxy role. 4. Permit authors to use (but not change) the add_folder method This way, authors will have the ability to use the permissions associated with AddFolder... but only in the specific way(s) you have defined. It's a good idea to make your roles pretty fine-grained... but it's probably not worth going overboard with. It's more important, in this scheme, that your methods be tailored to a specific purpose and the permissions controlling them be fine-grained.
It would be nice to have a document listing the permissions and EXACTLY what they do and how they interrelate if only just for the base ZOPE and CMF products.
The best such document is the product source code. Permissions, ultimately, are just labels applied to collections of product methods. When you allow a permission, you allow specific users to call its methods. If you want to know exactly what those methods *do*, you'll have to look at how they are defined. HTH, Dylan
participants (2)
-
Dylan Reinhardt -
Michael Havard