[Zope] Zope and security.
Stuart 'Zen' Bishop
zen@cs.rmit.edu.au
Fri, 12 Nov 1999 09:17:53 +1100 (EST)
On Thu, 11 Nov 1999, Otto Hammersmith wrote:
> It seems the only way to securely handle all this is to roll your own
> folder that can't hold Z SQL Methods, or anything else that users don't
> really need. (Incidentally, if I did this with Z Classes, would there
> be any performance implications?)
Write manage_safeaccessForm and manage_safeaccess DTML methods.
Give manage_safeaccess the manager proxy role. manage_safeacessForm
is simply a form that allows you to do a subset of the normal security
form. manage_safeaccess sanitizes the request and passes the results
through to the relevant change-permissions method. This way a
user with access to manage_safeaccessForm and manage_safeaccess can
alter whatever subset of permissions you define in a folder, and all
subfolders through aquisition. But not individual objects.
> Would it be possible with Z Classes to modify either the constructor or
> the addForm to restrict who can create certain objects? Would it be
> possible in Python products? That seems to be the appropriate place to
> control what objects can be created by whom.
You can check what roles the current AUTHENTICATED_USER has, and raise
an exception if they should be able to create this object.
You would need to call:
folder.get_local_roles_for_userid(AUTHENTICATED_USER.getUserName())
Assuming folder is the folder your ZClass or Python product is being
added to.
___
// Zen (alias Stuart Bishop) Work: zen@cs.rmit.edu.au
// E N Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au
//__ Computer Science, RMIT WWW: http://www.cs.rmit.edu.au/~zen