[Zope-CMF] Topic, allowedRolesAndUsers and NuxUserGroups

Tres Seaver tseaver@zope.com
22 May 2002 07:29:04 -0400 

On Tue, 2002-05-21 at 13:28, Sion Morris wrote:
> Hi,
> 
> Problem:
> An item, 'allowedRolesAndUsers', is a criterion that can be used in a 
> Topic.
>     String: allowedRolesAndUsers
>     Value: admin
> But when the Topic is viewed, the 'allowedRolesAndUsers'  criteria seem 
> to be ignored.
> 
> Background:
> The project is for an intranet application for workgroups.
> 
> One task is to search for every document in a particular group.
> 
> At the root level of the CMF I have set up a 'workgroup member' role 
> with access privileges. NuxUserGroups is installed to allow groups --> 
> role mapping.
> 
> The permission for each document, news item, NuxDocument etc. is set by 
> the user using a customised form e.g. select the group 'admin' from a 
> list (This seems sensible to me but I haven't done it yet so please let 
> me know if you think otherwise :-)). The permission setting, i.e. the 
> 'admin' group, is programmatically assigned to the 'workgroup member' 
> role of the document after it has been submitted.
> 
> The permission details are catalogued by the portal_catalog in the 
> 'allowedUsersAndRoles' index as ['group:admin', 'user:bob'].
> 
> If Jane, who is a member of the 'admin' group, searches for 'admin' in 
> the 'allowedRolesAndUsers' index, should it mean that all published 
> document with 'admin' in 'allowedRolesAndUsers' index are found? If this 
> could work then instead of having folders to seperate workgroups I could 
> use the permission mapping.
> 
> If I have strayed hoplessly off course here then please let me know :-)
> 
> Any help, as always, greatly appreciated.

The 'allowedRolesAndUsers' index is used specially by the CMF catalog
to enforce its "all results should be viewable" invariant;  unless
you have subclassed from CMFCore.CatalogTool.CatalogTool, you won't
be able to make effective use of the index at all.  Here's why:

    # CMFCore/CatalogTool.py
    # searchResults has inherited security assertions.
    def searchResults(self, REQUEST=None, **kw):
        """
            Calls ZCatalog.searchResults with extra arguments that
            limit the results to what the user is allowed to see.
        """
        user = _getAuthenticatedUser(self)
        kw[ 'allowedRolesAndUsers' ] = self._listAllowedRolesAndUsers(\
                                           user )

You might be able to leverage this behavior to accomplish what you want,
if I understand that correctly.  The '_listAllowedRolesAndUsers' method
computes a list of roles and users which "pertain" to a given user;  if
you can ensure that that method includes 'group:admin' as one of the
values, your search should work as planned (I don't know the
NuxUserGroups product well enough to know if this is so)::

    def _listAllowedRolesAndUsers( self, user ):
        result = list( user.getRoles() )
        result.append( 'Anonymous' )
        result.append( 'user:%s' % user.getUserName() )
        return result

To make this work, you either need to have the user created by
NuxUserGroups return 'group:...' as one of its roles, or else you
need to subclass the CatalogTool and override
'_listAllowedRolesAndUsers'.

If this works, it will work *without* you passing in any explicit value
for 'allowedRolesAndUsers' (which is the point of customizing
'searchResults' in the first place!)

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com