[Zope] Permission mappings, Z Classes, and acquisition

Michel Pelletier michel@digicool.com
Thu, 10 Jun 1999 09:32:17 -0400 

> -----Original Message-----
> From: Alexander Staubo [mailto:alex@mop.no]
> Sent: Wednesday, June 09, 1999 10:26 PM
> To: Zope Mailing List (E-mail)
> Subject: [Zope] Permission mappings, Z Classes, and acquisition
> 
> 
> Let's say I create a Z Class "Document" and define some new permission
> types. Then for some objects in my Z Class I create 
> permission mappings,
> such as "Add Documents, Images, and Files" and "Delete 
> objects" mapping
> to my permission type "Manage documents". Then I create some instances
> of the Z Class in the folder "Documents". I define a new global role
> "DocumentAdmin". I want this role to manage documents in the 
> "Documents"
> folder and all subfolders.
> 
> But there's the rub. I'd like to use acquisition to enable these
> security settings for all documents in this hierarchy. Zope 
> only allows
> giving this permission to this role for each and every 
> specific Z Class
> instance, because my custom permissions, such as "Manage 
> documents", are
> not available on the folder level -- they're only available on
> instances.
> 
> Is this a bug? Isn't the permission list supposed to be a superset of
> all available permission types defined in the database? Am I missing
> something?
> 

I don't think this is a bug.  In order for you to aquire permissions
from on up high, you must aquire them from a container.  If you object
is a container, then it's permissions can be aquired, but if it's
container (say, a straight folder) does not define permissions it wants
to aquire, then it can't.

> Because of this design, I guess I have to create a dummy Z 
> Class called
> "DocumentFolder" which defines my custom permissions, then 
> let the root
> folder be an instance of this class. Which is fine, but I 
> didn't expect
> having to do this. If this is by design, I'd like to know the 
> rationale
> behind it.
> 

This is how you'll have to do it.  There is no "super" set of
permissions anywhere.  A plain folder containing your ZClass can't know
what permissions it wants because acquisition works the other way.  In
fact, it's a feature that you can't acquire permissions down, because
that would break the Zope law of delegation and abstraction of control.
Managers in upper level folders would have to deal with a growing list
of mostly un-related permissions they don't care about.

So if you want to define your own permissions on your own object, and
you want those objects to aquire from a containing parent, that
containing parent must also define the permissions your objects are
interested in.  In your case, this involves creating a custom container
of some sort.

-Michel

> Oh, and this is Zope 1.11.0pr1.
> 
> --
> Alexander Staubo             http://www.mop.no/~alex/
> "`Ford, you're turning into a penguin. Stop it.'"
> --Douglas Adams, _The Hitchhiker's Guide to the Galaxy_
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://www.zope.org/mailman/listinfo/zope
> 
> (For developer-specific issues, use the companion list,
> zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
>