[Zope-DB] setting up user privileges
Dieter Maurer
dieter at handshake.de
Thu Sep 29 14:39:24 EDT 2005
Marvin Calingacion wrote at 2005-9-29 21:30 +0800:
>I would like to ask for some advice and tips on how to set-up
>user-privileges on the site I made with Zope. These privileges will be based
>on some sections of a given page while others will require a whole page.
>
>Example:
>
>-> Page 1
>- Section/Module 1
>- Section/Module 2
>
>-> Page 2
>- Section/Module 1
>- Section/Module 2
>
>As I read the manual/book, I found that Zope has its own mechanism of
>setting securities/privileges even creating groups with its own set of
>rights on the site but I am not able to comprehend how to apply such with my
>site. Hope to hear one from you.
While you did not understand the Zope book, I did not understand
what you want to achieve...
I will try to help you understand the basic principles:
Zope is an object oriented systems. What you essentially
do in such a system is calling methods.
Some methods (in fact most of them) do sensitve things.
You want the protect their call (to protect your system).
Zope introduces so called permissions to protect methods.
A permission is just a (hopefully speaking) name, e.g. "View".
A given permission can be used to protect zero, one or more
methods. A given method can be protected by a single permission.
When a method is protected by permission "P", then
the user calling the method must have permission "P".
Otherwise, an "Unauthorized" exception is raised.
How does a user gets a permission "P"?
This does not happen directly but via so called
roles.
A role is again just a (hopefully speaking) name, e.g. "Manager".
A user can have a set of global roles (maintained
in the UserFolder).
Furthermore, he can get additional roles in subhierarchies.
These are called (somewhat wrong) "local roles" (roles
valid not globally but only in a local context).
With respect to a given object (and the calls of its methods),
a user has a set of roles on this object: his global
roles and the local roles in effect at this object.
Finally, there is the "permission to role" mapping, managed
in the "Permissions" tab of each object.
There you specify for each permission which roles should
be granted the permission. You can also specify whether
grants from higher up in the hierarchy should be acquired
or ignored. You can say for example that the permission "View"
should be granted to the role "Manager".
Now, the picture is complete.
When a user wants to call a method of object "o" protected by
permission "P", Zope will check whether the user as on
"o" a roles for which the permission "P" is granted.
How do you play with this setup:
Usually, the permissions and the methods they protect
are fixed (unless you create new methods and permissions
that protect them). Thus, you do not play with these.
Instead, you play with roles (define new ones, if necessary),
and assign them to users, either globally or locally in different
parts of your site (--> "local roles").
Furthermore, you adjust the "permission to role" mapping
in such a way, that a user can (based on its roles) precisely
call the methods you want him to be able to call (and not the others).
--
Dieter
More information about the Zope-DB
mailing list