[Zope] Defining my own security

[Steve Jibson]

Thank you!!

You got me started down the right road.  I eneded up putting my check in 
the "__before_publishing_traverse__" method of my "Folder" and it seems 
to be doing exactly what I had hoped.

Steve



Matt Hamilton wrote:
>>Okay, here goes...
>>
>>I have created a Zope Product that extends a Zope Folder object and I
>>want to add a non-traditional security check before allowing users to
>>"View" stuff in the "folder".  For reasons that are too complicated to
>>explain here, I can't use Zope roles and permissions for this check (in
>>fact, this check should be done in addition to Zope's existing security
>>mechanism checks).  What I want to do is verify that a particular
>>variable in the "Session" matches a specific property of the "folder".
>>If it does not match, I want to raise an unauthorized error.
>>
>>Is this kind of thing possible?  Any help will be appreciated.
> 
> 
> Steve,
>   Yes this kind of thing is possible.  The main question is what exactly
> you want to protect.  ie. is it a method call on that object (e.g.
> objectValues).
> 
> The general code would be something like:
> 
> from zExceptions import Unauthorized
> data = REQUEST.SESSION['my_session_var']
> if data != self.myproperty:
>   raise Unauthorized('<strong>You are not authorized to access this
> resource.</strong>')
> 
> 
> The more difficult question is where exactly in your code to put this.  If
> you want to protect the access of object within the folder, then I think
> you will need to put it in __getitem__ somewhere.  However I do remember
> talking to someone else about this and one of the methods like that
> overrides the security, or swallows the exception or something.  You may
> have to play areound with it, or try putting it in __bobo_traverse__
> 
> -Matt
>