[Zope] Odd Security Behavior
James W. Howe
jwh@allencreek.com
Tue, 22 Feb 2000 10:40:00 -0500
I'm working on a Python-based extension to the Folder class. I'm planning
on adding a couple of custom roles, a couple of custom views and some
special behavior. I'm sure that most of this I could do with a ZClass, but
I'm trying to learn some Python so I figured I would build this extension
using only Python. I've basically got the thing sort of working, but I'm
seeing some odd behavior that I don't fully understand.
My object is a subclass of Folder. I have defined a manage_options which
contains a list of all my views. I have defined an __ac_permissions__
which adds a new permission which controls access to one of the views. I
have defined an __ac_roles__ to add a new role. I can create a new
instance and the information on my security tab looks as I would expect. I
have verified that the object I create is in fact an instance of my Python
class. Now comes the strange part.
I want my management role and my new role (called Publisher) to be able to
access the management interface, so I've checked the 'View management
screens' options. However, I don't want the manager role to view my
"Publisher" view (one of the views defined by my class), and I don't want
my "Publisher" role to see full contents. I have unchecked the "Access
Publication Contents" (my Publisher view role) for everyone except the
Publisher role. I have "Access contents information" checked for my
Manager but not for the Publisher role. What I hoped would happen is that
when I was authenticated as Manager, I would see all tabs except the
"Publisher" tab and when I was authenticated as Publisher, I would see all
tabs except the contents tab. What happened was both users were able to
see all tabs. I haven't figured out why this is happening.
In an effort to customize my "contents" view, I copied the "main.dtml" from
OFS (the dtml used by ObjectManager to display contents) to my product
directory. I added the following line to my Python class to get my
main.dtml used:
manage_main=HTMLFile('main', globals())
I made a tiny change in the dtml so I could verify that my dtml was being
displayed. I restarted the browser and server and connected as Manager. I
saw my modified contents screen, as expected. However, when I logged in as
Publisher, I didn't see the Contents tab at all. The first page displayed
was my Publisher view (which is what I really wanted to have happen) and
the Contents tab didn't exist. My question is this, why is it that when I
use the inheritied manage_main (from ObjectManager), permissions don't work
as I expect, but when my class overrides manage_main, but uses basically
the same dtml template for contents, the contents are shown for Managers
but not my Publisher role?
Any insights on this behavior would be appreciated.
Thanks.
James W. Howe mailto:jwh@allencreek.com
Allen Creek Software, Inc. pgpkey: http://ic.net/~jwh/pgpkey.html
Ann Arbor, MI 48103