[Zope] Checking dynamic permissions
Paul Winkler
pw_lists at slinkp.com
Mon Jan 19 10:28:08 EST 2004
On Mon, Jan 19, 2004 at 12:02:14PM +0100, Gilles Lenfant wrote:
> Hi,
>
> I need a fine grained permisssion for a certain category of
> (authenticated) users.
>
> Defining a role/permissions mapping is not enough : Each authenticated
> user is granted to proceed operations up to a certain amount, depending
> on his/her supposed skills.
>
> When the user attempts to proceed an operation that exceeds that amount,
> the permission for some objects/methods must be denied.
>
> Of course, I need to make my own user folder for this (exUserFolder based ?)
that or SimpleUserFolder.
I had similar needs (with different access criteria, of course).
There was a lengthy discussion on zope-dev.
I ended up doing the following:
1) Create a single new role but *do not assign it to any users*.
For all content / actions which are to be protected by this techique,
grant access using the new role.
2) Create a new User class, deriving from an existing one from whatever
UserFolder product you choose.
a) define User.getRolesInContext(self, object) such that
it dynamically supplements the user's real local roles with your
new special role if your criteria are met.
b) define User.allowed(self, object, object_roles=None)
so that it supplements the user's real local roles with your
new special role before checking authorization.
--
Paul Winkler
http://www.slinkp.com
Look! Up in the sky! It's JERK ENCEPHALOPATHY!
(random hero from isometric.spaceninja.com)
More information about the Zope
mailing list