[Zope] Security question: looking up permission protecting a class
Jean Jordaan
jean at upfrontsystems.co.za
Tue Apr 13 05:56:53 EDT 2004
Hi Sandor
Thanks for the reply.
> AFAIK restrictedTraverse(path) checks roles on every step of the path.
> It uses the __role__ attribute of the object.
Yup, that's the problem.
Here's what I ended up doing::
result = []
for p in self.Catalog({'meta_type': meta_type, prop_name: value}):
obj = p.getObject()
permission = obj.__ac_permissions__[0][0]
if self.REQUEST.AUTHENTICATED_USER.has_permission(permission, obj):
result.append(obj)
That 'obj.__ac_permissions__[0][0]' looks dog-ugly to me. I'm
sure there must be a better way.
> You may want to have a look at the declareObject* methods:
> http://zope.org/Documentation/Books/ZDG/current/Security.stx#3-45
My objects are already protected:
security.declareObjectProtected('View Customer')
but this only helps when the user is browsing to the object through
the web, or when I use 'restrictedTraverse' or another security-
checker explicitly, as above.
The 'obj.__ac_permissions__[0][0]' lookup returns the permission
specified by the 'declareObjectProtected' call on the class.
--
Jean Jordaan
http://www.upfrontsystems.co.za
/training <-- Zope/Plone training!
More information about the Zope
mailing list