[Zope-CMF] Visibility/creatability of types from TypeInfos

David (Hamish) Harvey david.harvey@bristol.ac.uk
Wed, 12 Jun 2002 18:12:09 +0100 

As an adjunct to that fix I just posted about for the folder listing based 
on portal_type issue in CMF, I'm trying to prepare a fix for the other 
aspect of my problem with this and encountering some difficulty.

First, the problem: This is The One Where View Permission On TypeInfo 
Controls Both Visibility and Creation of Instances. I want separate control 
of viewing of existing instances and creation of new instances. More 
details below for context, but here's the question:

I can make modifications to anything at run time, right (as someone who cut 
his teeth on SmallTalk, I say this is great, but old hat - the clever thing 
about Python is how it got popular :-), and this includes modules? So I can 
add a new permission to CMFCorePermissions like so (no?):

from Products.CMFCore import CMFCorePermissions
CMFCorePermissions.CreateInstances = 'Create instances'
CMFCorePermissions.setDefaultRoles( CMFCorePermissions.CreateInstances
                                  , ( 'Owner', 'Manager', ) )

This seems to work, but I figure it's worth asking in case there's a 
gotcha. I then want to *change* the permissions on an *existing* method in 
TypesTool to use this new permission (I originally just edited the source 
of TypesTool, and it all worked fine):

from Products.CMFCore.TypesTool import TypesTool
security = TypesTool.security
# constructInstance is public in CMFCore.TypesTool
security.declareProtected( CMFCorePermissions.CreateInstances
                         , 'constructInstance' )

When I do this (and another little bit to check this permission in 
isConstructionAllowed) the permission doesn't show up in the Security tab 
of the TypeInfo objects. As I say, if I modify the code directly, it does.

============= More info on the problem for context:

I create a new FactoryTypeInfo, identical to Document, with 
content_meta_type 'Fred', so an instance created using this typeinfo would 
have portal_type 'Fred' (hope I've got this right this time). Likely 
combinations of desired abilities are

Can see existing content with this portal_type, but can't create new
Can see existing and can create new.
Can't see or create.

I figure that can't see but can create is unlikely to be very useful.

I have a patch which achieves this, potential security holes and whatnot 
notwithstanding. Unfortunately it works (as far as I've tested it) if I 
modify the CMFCore code directly (CMFCorePermissions, to add a new one to 
control creation, and TypesTool, to make use of it) but I can't make it 
work in a product.

Cheers,
Hamish