[Zope] User Authentication Question
Bill Anderson
bill.anderson@libc.org
Fri, 18 Feb 2000 14:09:30 -0700
"James W. Howe" wrote:
>
> At 03:28 PM 2/18/00 -0500, Kevin Dangoor wrote:
> >----- Original Message -----
> >From: "James W. Howe" <jwh@allencreek.com>
> >To: <zope@zope.org>
> >Sent: Friday, February 18, 2000 2:24 PM
> >Subject: [Zope] User Authentication Question
> >
> > > I have a folder which contains several objects, including subfolders. Some
> > > of the subfolders I have locked down so that only a manager can do anything
> > > with them. However, if I log in as a non-manager to the management
> > > interface of the parent folder these locked down folders appear in the
> > > contents list. [...] Is this a bug, a feature, or a misunderstanding on
> > my part
> > > about how authentication and object visibility should work?
> >
> >If you have the "access contents information" permission for a given object,
> >you can view the object IDs for every object contained within that object,
> >regardless of the permissions you have for the subobjects.
> >
> >I think this makes sense, because the subobjects in a container belong to
> >that container, and a person with permissions for that container should be
> >aware that they are there. Maybe the person doesn't have "View" permission
> >on those subobjects, but maybe they do have some other permission.
>
> I can accept that argument, but then I would ask if there is any way to get
> a "restricted" view? Basically I want to set things up so a content
> manager only sees the content that they actually have access to. For
> example, I have a news site. I may have one role which grants the
> authority to create and maintain weekly "issues". I want this user to be
> able to see existing issues, edit existing issues, etc. I may have another
> role for managing classified ads. I don't want the person working with the
> classifieds to have access to the issues, nor do I want them to even see
> them. It's not so much a security thing as it is a focus thing. The
> classified ad person only needs to see information relating to classifieds
> and nothing else. Is there a way to get this kind of control in Zope as it
> currently exists, or do I need to write my own subclasses of ObjectManager
> to add this sort of capability?
If I understand you correctly, you should just need to create zclasses
for the objects (or do ti in python, if you prefer) 'issues',
'classifieds', etc., and assign different permissions. For example, the
ClassifiedAd Objects would look for a role of "ClassifiedManager" or
something like that, and only the person managing the ads has that role,
so they can modify.
Then you just test for the role when displaying the content. If the
person has the correct role (eg. ClassifiedManger), he can see the
Content (eg. Classified Ads). ROles can do this with ease, if IUYC.
--
In flying I have learned that carelessness and overconfidence are
usually far more dangerous than deliberately accepted risks.
-- Wilbur Wright in a letter to his father, September 1900