[Zope] checking permissions

A M Thomas am@virtueofthesmall.com
Tue, 30 Apr 2002 17:00:43 -0400


Things are better - but still not quite right.  I'm guessing that
ValidateValue wants an object rather than a string, since passing it a
string as returned from context.filtered_manage_options() makes it
return "False" every time.

I found Validate and tried passing the string as the "name" argument,
with the current context as the "container" argument, but then
everything gets a "True" value; my dummy user account still gets
presented with options that can't be used.  Is there a way to make it
only return true for those actions the current user can do?

<start slight documentation rant>
I suspect either a) I'm going to have to figure out how to get the
actual object given the method name, or b) I'm still not understanding
the Validate arguments.  The document I found says that the first value,
"Accessed", is "the object that was being accessed" - I left that as
None, but is it asking for the current object (context) or the object
that is the method?  And for "value" it says "the value retrieved
through the access" - I've been assuming that if I used the method name
to get the method object, that would be what I'd properly pass for this
argument, but I'm not 100% clear on this - and this is the same as the
sole argument for ValidateValue.  Help!
<end rant>

Thanks a bunch for following up, Dieter - the DTML/Python stuff was
making me nuts.  I'll do that feature request.

- Am

============== my current code - everything passes, ============
============== even when it shouldn't ==========================

from AccessControl import getSecurityManager

manage_options=context.filtered_manage_options()

optionslist = []

for mopt in manage_options:
  print "testing", mopt['action']
  if getSecurityManager().validate(None, context, mopt['action'], None):
  # the next test makes everything fail
  # if getSecurityManager().validateValue(mopt['action']):
    optionslist.append([mopt['action'], mopt['label']])
    print "...passed"
  else:
    print "...failed"

return printed

==============================================

Dieter Maurer wrote:
> 
> A M Thomas writes:
>  > Thanks, Dieter!  This looks like exactly what I want.  Documented in the
>  > Zope book and everything.
>  >
>  > Of course, I'm trying to use it in a python script - tried
>  > context.SecurityValidateValue(stuff) - and it's giving me an attribute
>  > error, but I'm struggling with the flu and it could be anything.
> It is very unfortunate (and unnecessary) that DTML and Python Script use
> different security API's. Please file a feature request to the Collector.
> 
> In Python Scripts, you would use:
> 
>    from AccessControl import getSecurityManager
> 
>    getSecurityManager().validateValue(value)
> 
> In fact, that's what "SecurityValidateValue" does...
> 
> Dieter