[Zope] Security question: looking up constructor permission
zope at netchan.cotse.net
zope at netchan.cotse.net
Fri Apr 9 11:11:59 EDT 2004
> .. my brain needs a nudge again. I need to fetch an object
> from the ZODB subject to security checks. This doesn't work:
>
> result = [self.restrictedTraverse(p.getPath()) for p in proxies]
>
> because for a path such as '/app/container/object' the user
> might have access to 'object' without having access to
> 'container'.
AFAIK restrictedTraverse(path) checks roles on every step of the path.
It uses the __role__ attribute of the object.
> but I don't know where to find 'permission_name'. It's the
> permission registered for the class at __init__ time:
>
> context.registerClass(
> class_instance,
> permission = 'Add %s' % classname,
> constructors = getConstructor(module, class_instance)
> )
The source (App/ProductContext.py/registerClass) says:
"permission -- The permission name for the constructors.
If not specified, then a permission name based on the
meta type will be used."
I think this is used for filtering items in the Add product listbox but
I may be wrong. Anyway, by the docs this is a permission for creating
that object, not for accessing.
Regards,
Sandor
More information about the Zope
mailing list