[Zope-dev] local grants for z3c.rest not working.
Jayarajan Jn
jayarajan at musmo.com
Thu Dec 11 01:36:47 EST 2008
Hi all,
Recently i was looking for some zope3 based solutions for implementing
RESTful public API. And i found z3c.rest. To begin with package I have
installed it and enabled the the RESTviews for 'Folder' that is provided in
the 'tests' sub-folder of z3c.rest. It works fine. Then i changed the
Permission setting for GET view from 'zope.View' to 'zope.ManageContent'
and i expected this would make the GET view of the Folder to be unavailable
to the Public. But it was still possible for me to call the GET view with an
'unauthorised' request.
Similarly, i changed the permission for POST/PUT from 'zope.ManageContent'
to 'zope.Public' and still I had to get authenticated to access it.
Can any one please tell me how can i use local grants with z3c.rest? I
expected it to work the same way as other zope:views do. Please help me on
this.
I have installed the package available in the svn trunk. Zope3 setup is
zope3.4.0c1 + python 2.5
I have tested the GET view using both web browser and a python script.
Following is the original configurations from z3c/rest/tests/folder.zcml
########################
<view
for="zope.app.folder.interfaces.IFolder"
name="GET"
type="..interfaces.IRESTRequest"
factory=".folder.FolderAPI"
permission="zope.View"
allowed_attributes="GET"
/>
<view
for="zope.app.folder.interfaces.IFolder"
name="POST"
type="..interfaces.IRESTRequest"
factory=".folder.FolderAPI"
permission="zope.ManageContent"
allowed_attributes="POST"
/>
<view
for="zope.app.folder.interfaces.IFolder"
name="PUT"
type="..interfaces.IRESTRequest"
factory=".folder.FolderAPI"
permission="zope.ManageContent"
allowed_attributes="PUT"
/>
##########################
This is how i changed it
------------------------------------------------------------------
<view
for="zope.app.folder.interfaces.IFolder"
name="GET"
type="..interfaces.IRESTRequest"
factory=".folder.FolderAPI"
permission="zope.ManageContent"
allowed_attributes="GET"
/>
<view
for="zope.app.folder.interfaces.IFolder"
name="POST"
type="..interfaces.IRESTRequest"
factory=".folder.FolderAPI"
permission="zope.Public"
allowed_attributes="POST"
/>
<view
for="zope.app.folder.interfaces.IFolder"
name="PUT"
type="..interfaces.IRESTRequest"
factory=".folder.FolderAPI"
permission="zope.Public"
allowed_attributes="PUT"
/>
--------------------------------------------------------------------
Thanks in advance.
rgds,
Jayarajan J N (IRC nick - jayaraj)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope-dev/attachments/20081211/7cb13056/attachment.html
More information about the Zope-Dev
mailing list