[Zope] Preventing acquiring a permission

John K. Hohm jhohm@acm.org
Thu, 19 Sep 2002 19:53:28 -0500


Quoting Toby Dickenson <tdickenson@geminidataloggers.com>:
> On Thursday 19 Sep 2002 1:05 am, John K. Hohm wrote:

[snip]

> > No, that's not it at all.  I want all authenticated users to have
> > permissions to list the contents of the /auto folder, but I want a user
> to
> > have permissions to the /auto/foo, /auto/bar, etc. folders and their
> > contained items only if they have a role local to one of those folders.
> 
> From what I can see thats exactly the same as my example, assuming the top 
> level folder is your new folderish product.
> 
> I suggest you create a new "list contents of top-level folder" permission, 
> change your folderish product so that this permission controls the relevant
> methods, then grant this permission to everyone.

Although your assumption is wrong, your suggestion is excellent. :-)  My
folderish product is actually the sub-folder foo in /auto/foo.

> >  As
> > it happens I am assigning the local roles with a BasicUser modification by
> > virtue of a user having a role whose name is related to the name of the
> > folder, say foo_dogs or bar_dogs.
> 
> Thats cool.

Thanks, I think so, especially when following your suggestion.  Creating a 'View
MyProduct' permission and using declareObjectProtected lets me do what I want. 
Now I have the dogs role defined at /auto and assigned the 'View MyProduct'
permission, but don't otherwise change the /auto permissions.  The result is
that only the users that get the 'dogs' role in the context of /auto/foo can see
/auto/foo or anything in it, but once they have that role they can do everything
with it and its contents based on what roles they have in /auto.

Thanks for sticking with me on this one; it took a while for the proverbial
light bulb over my head to flicker on.