[Zope-dev] ZCatalog: hiding search results from unauthorized users - hack

Casey Duncan casey@zope.com
Tue, 02 Apr 2002 11:05:30 -0700 

The problem with this solution is that you must wake up every object 
found, thus negating the performance/memory advantaged of ZCatalog's 
lazy result sets.

Since you said (in your other message) that the restriction is by role, 
couldn't you just index the roles allowed to view a given object and 
then filter on that index. The caveat with that is that you would need 
to reindex whenever the access settings changed. So, this would need to 
be done in such a way in your application so that the objects could be 
indexed when the security settings changed. This would make implicit 
(acquired) security changes difficult to handle.

On the bright side, you wouldn't need to subclass ZCatalog, or bring all 
the results into memory and validate each one. Thats *extremely* 
expensive. All you would need to do is create a method or python script 
that returned a list of roles allowed to "view" an object, and then 
create a keyword index on this method/script.

hth,

Casey

Igor Stroh wrote:
> Hi all,
> 
> in case someone have same problem as me (see "ZCatalog - hiding query
> results" thread for more info) - I got a solution:
> 
> - create a product that subclasses ZCatalog
> - in this product overwrite ZCatalog.getobject with
> 
>   def getobject(self, rid):
>       """foo"""
>       obj = self.aq_parent.unrestrictedTraverse(self.getpath(rid),\
>                                                 restricted=1)
>       return obj
> 
> - create a python script in your catalog (e.g. "filterCat") with a
>   parameter that reoresents the catalog itself ("brains" here):
> 
>   retval = []
>   for brain in brains:
>     try:
>       obj = container.getobject(brain.getRID())
>       retval.append(brain)
>     except:
>       pass
>   return retval
> 
> - adjust your catalog query reports, so that they call
>   "filterCat(_['<catalogname>'])" instead of <catalogname>
> 
> Now your users see only those hits in a query which apply to objects they
> are allowed to "View".
> 
> greetings,
> Igor
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
> 
>