[Zope] Security - View vs Access Contents
Dieter Maurer
dieter@handshake.de
Wed, 18 Apr 2001 21:37:21 +0200 (CEST)
Tim Considine writes:
> (1) I want to set the security properties of a sub-folder to relate to=20
> a specific user. So I uncheck View for the anonymous user to "force" a=20
> Zope login. But it doesn't appear to work. So I uncheck Access=20
> Contents too - and it does seem to work.
>
> What is the difference between these 2 permissions ?
The basic Zope security machinery does not associate semantics
with the permissions. It is up to the developer (and his sense
for consistency and semantics) to choose properly named
permissions.
I did not yet see a document that describes rules/guidelines
on how permissions are used to protect Zope methods.
> (2) Also I am struggling then to make Zope check the=20
> AUTHENTICATED_USER against a property set for the folder which contains=20
> the authorised user's initials (which are the same as login name).
What is a property set?
> I am trying to use a standard DTML method but set individual property=20
> elements for each sub-folder. Is this OK as an approach ? Or is there=20
> a better one ?
>
> My DTML code is this ... but it's clearly wrong ! [User is name or=20
> property element set for the folder.]
>
> <dtml-if expr=3D"AUTHENTICATED_USER.getUserName()=3D=3DobjectValues('User=
> ')">
"objectValues(meta_type)" returns the contained objects of an
ObjectManager (!) with meta type "meta_type".
Never use "objectValues" for objects that are not ObjectManagers.
They define a stupid and unusable "objectValues" method.
If your folder has a property called "User", then you would
use:
<dtml-if expr="AUTHENTICATED_USER.getUserName()=User">
If your "User" would not be a single user, but a list of
users, the following would look promissing:
<dtml-if expr="AUTHENTICATED_USER.getUserName() in User">
Good reading for people starting to learn Zope:
the Zope Book (-> zope.org)
and
URL:http://www.dieter.handshake.de/pyprojects/zope/book/chap3.html
Dieter