[Zope-CMF] PortalContent permissions

seb bacon seb@jamkit.com
Thu, 19 Apr 2001 19:30:00 +0100 

* seb bacon <seb@jamkit.com> [010417 16:59]:
> > >
> > > > What do you think it should do?  I was thinking it should first look for
> > > > a "view" action, but if the user doesn't have access to it, it should
> > > > look through the options in order and choose the first action the user
> > > > is allowed to access.
> > >
> > > I can't think of any benefits to having a default view called 'view' -
> > > it might be better to rely purely on the rank of the action, rather
> > > than hardcoding in an exception to the rule, I think.
> > 
> >                  What *is* hardcoded is the "view" method of all portal
> > content and the fact that it is exposed in URL's.  But we could find no
> > way around that.
> > 
> 
> I'm not sure I follow - I can't see where 'view' is hardcoded other
> than in attributes such as:
>   
>   view = index_html  # Necessary for catalog searches.
> 
> ...where index_html is computed as needed anyway.  Why can't 'view' just
> be aliased to whatever the first action filtered by permission is, as
> it would be in this case?

Hmm, well I tried implementing this, but keep coming up against
problems too great for me to wrap my brains round.  The problem is
that whenever I try to check the user's permissions inside
_index_html, the user checked against is always 'Anonymous User'.  I
think this is something to do with not acquiring the correct security
context, but I'm not sure.  I'm in way over my head here, but I'd
really like to get this implemented...any help appreciated :-)

my code is posted below.

cheers,

seb

--------------------------

    def _index_html(self):
        '''
        Invokes the action identified by the id "view" or the first action.
        '''
        #import pdb;pdb.set_trace()
        ti = self.getTypeInfo()
        pm = getToolByName(self, 'portal_membership', None)
        print "object %s, id %s" % (str(self), ti.getId())
        if ti is not None:
            actions = ti.getActions()
            if actions:
                for action in actions:
                    permissions = action['permissions']
                    verified = 0
                    if not permissions:
                        # This action requires no extra permissions.
                        verified = 1
                    else:
                        for permission in permissions:
                            # The user must be able to match at least one of
                            # the listed permissions.
                            if pm.checkPermission(permission, self):
                                verified = 1
                                break
                    if verified:
                        path = action['action']
                        view = self.restrictedTraverse(path)
                        return view
            raise 'Not Found', ('No default view defined for type "%s"'
                                % ti.getId())
        else:
            raise 'Not Found', ('Cannot find default view for "%s"'
                                % string.join( self.getPhysicalPath() ) )