[Zope] Security question: looking up constructor permission

zope at netchan.cotse.net zope at netchan.cotse.net
Fri Apr 9 11:11:59 EDT 2004


> .. my brain needs a nudge again. I need to fetch an object
> from the ZODB subject to security checks. This doesn't work:
> 
>    result = [self.restrictedTraverse(p.getPath()) for p in proxies]
> 
> because for a path such as '/app/container/object' the user
> might have access to 'object' without having access to
> 'container'.

AFAIK restrictedTraverse(path) checks roles on every step of the path.
It uses the __role__ attribute of the object.

> but I don't know where to find 'permission_name'. It's the
> permission registered for the class at __init__ time:
> 
>          context.registerClass(
>              class_instance,
>              permission = 'Add %s' % classname,
>              constructors = getConstructor(module, class_instance)
>          )

The source (App/ProductContext.py/registerClass) says:
       "permission -- The permission name for the constructors.
           If not specified, then a permission name based on the
           meta type will be used."

I think this is used for filtering items in the Add product listbox but
I may be wrong. Anyway, by the docs this is a permission for creating
that object, not for accessing.

Regards,
Sandor




More information about the Zope mailing list