[Zope] Preventing acquiring a permission
John K. Hohm
jhohm@acm.org
Thu, 19 Sep 2002 19:53:28 -0500
Quoting Toby Dickenson <tdickenson@geminidataloggers.com>:
> On Thursday 19 Sep 2002 1:05 am, John K. Hohm wrote:
[snip]
> > No, that's not it at all. I want all authenticated users to have
> > permissions to list the contents of the /auto folder, but I want a user
> to
> > have permissions to the /auto/foo, /auto/bar, etc. folders and their
> > contained items only if they have a role local to one of those folders.
>
> From what I can see thats exactly the same as my example, assuming the top
> level folder is your new folderish product.
>
> I suggest you create a new "list contents of top-level folder" permission,
> change your folderish product so that this permission controls the relevant
> methods, then grant this permission to everyone.
Although your assumption is wrong, your suggestion is excellent. :-) My
folderish product is actually the sub-folder foo in /auto/foo.
> > As
> > it happens I am assigning the local roles with a BasicUser modification by
> > virtue of a user having a role whose name is related to the name of the
> > folder, say foo_dogs or bar_dogs.
>
> Thats cool.
Thanks, I think so, especially when following your suggestion. Creating a 'View
MyProduct' permission and using declareObjectProtected lets me do what I want.
Now I have the dogs role defined at /auto and assigned the 'View MyProduct'
permission, but don't otherwise change the /auto permissions. The result is
that only the users that get the 'dogs' role in the context of /auto/foo can see
/auto/foo or anything in it, but once they have that role they can do everything
with it and its contents based on what roles they have in /auto.
Thanks for sticking with me on this one; it took a while for the proverbial
light bulb over my head to flicker on.