[Zope-dev] Proposal: Align Zope 2 and Zope 3 permissions
Hanno Schlichting
hannosch at hannosch.eu
Sun Apr 12 16:22:02 EDT 2009
Martin Aspeli wrote:
> So, here is what I'd like to propose, ideally for Zope 2.12:
>
> 1) Use an event handler to ensure that any <permission /> declared in
> ZCML actually creates a valid, Zope 2 permission. I have working code
> for this here which we could put in Products.Five with ease.
+1
> 2) Emit a warning instead of an error in Five's handler for the <class
> /> directive when set_attributes or set_schema are used.
+1
> 3) Change the Permission class in AccessControl so that it tries to
> look up an IPermission utility and use the title of that utility as the
> permission name, falling back on the current behaviour of using the
> passed permission name directly.
-1
I think we should start advertising the zope.security API for this
instead. For example:
from zope.security import checkPermission
checkPermission('zope2.Private', context)
This works by looking up the current security interaction from a thread
local, which in Five's case is a FiveSecurityPolicy. This policy
delegates to the checkPermission function found in
Products.Five.security which does exactly what you want:
if (permission in ('zope.Public', 'zope2.Public') or
permission is None or permission is CheckerPublic):
return True
if isinstance(permission, basestring):
permission = queryUtility(IPermission, unicode(permission))
if permission is None:
return False
if getSecurityManager().checkPermission(permission.title, object):
return True
return False
More information about the Zope-Dev
mailing list