[Zope] Acquiring permissions on cataloged objects

[Wilbert Kraan]

In a product I'm making, privileged and unprivileged users can query a 
ZCatalog that indexes both restricted and unrestricted objects.

So I'd like to filter out restricted objects from catalog returns for 
the unprivileged users.

Here's what I tried:

1. Give objects an extra property at creation time that indicates the 
crucial permission (role: Anonymous, permission: View).
Doesn't work because the objects are nested, and have to acquire 
permissions from their parents.
2. Somehow get SecurityCheckPermission to loop over the 'real' objects 
and block rendering of the corresponding result object. Something like this:

<dtml-in expr="TheCatalog({'meta_type':'TheObject'})">
<dtml-if expr="_.SecurityCheckPermission(
                     'View', object">
<dtml-var title>
</dtml-if>
</dtml-in>

This should work if only I could get anything out of the record object 
that allows me to reliably acquire the 'real' object. I.e. I don't know 
how to fill in the "object" in the code above. Most promising is running 
the getPath() method on the result object, but I haven't managed to 
coerce its result into something SecurityCheckPermission can work with.
3. Following Juri Pakaste's blog post 
<http://www.helsinki.fi/~pakaste/blog/ugly_zope_hacks.html>, I realised 
that even testing permissions on remote objects needed the 'View' 
permission, so I tried something like this:

<dtml-in expr="TheCatalog({'meta_type':'TheObject'})">
<dtml-try>
<dtml-call "_.int(getPath)">
       <dtml-var title>
       </dtml-try>
</dtml-in>

Same problem: how do I get anything in that <dtml-try> block to access 
the actual object? <dtml-call "_.int(getPath)"> and (very, very) 
numerous variations don't work.

The site is Zope 2.5.1, the Zcatalog is indexed automagically.

-- 
Wilbert Kraan
Web Journalist
Centre For Educational Technology Interoperability Standards (CETIS)
+44 (0)1248 383645
web: http://www.cetis.ac.uk newsfeed: http://www.cetis.ac.uk/news.xml