[Zope] confused on permissions and roles
John Hunter
jdhunter at ace.bsd.uchicago.edu
Wed Jun 30 18:41:09 EDT 2004
>>>>> "John" == John Hunter <jdhunter at ace.bsd.uchicago.edu> writes:
John> I have a class that inherits from RoleManager (via Folder).
John> It defined additional roles, including 'Administrator'. I
John> would like the Administrator to be able to view management
John> screens and create objects of certain types, but not be able
John> to delete or rename objects of certain types.
A followup - I've learned a bit more and realized I made a mistake in
the code I posted so I want to focus my question.
Goal: allow authenticated users with Role 'Administrator' or 'Manager'
to access the manage_main screen of my instance, but disallow
non-authenticated users or users with other roles.
I've learned that ClassSecurityInfo supersedes __ac_permissions__, so
I'm focusing my energies here
In the example below, RestrictedFolder derives from Folder
Example 1: I can access manage_main w/o no passwd authentication. I
want to be prompted for passwd and given access if user has
role Administrator or Manager
class Workflow(RestrictedFolder):
"""
The base folder
"""
meta_type="Workflow"
__ac_roles__=('Manager', 'Administrator', 'Researcher', 'Reviewer')
#permission = 'View management screens'
permission = 'View'
roles = ('Manager', 'Administrator')
security = ClassSecurityInfo()
security.setDefaultAccess('deny')
def __init__(self, id=None):
# snip
pass
security.setPermissionDefault(permission, roles)
security.declareProtected(permission, 'manage_main')
def manage_main(self, *args, **kwargs):
'does this need to be overridden to have security apply to it?'
return RestrictedFolder.manage_main(self, *args, **kwargs)
InitializeClass(Workflow)
Example 2: a user with Role Administrator cannot access manage_main,
the following error is produced (passwd is correct for this
user)
You are not authorized to access this resource.
Username and password are not correct. (Also, an error occurred
while attempting to render the standard error message.)
In this example, the code is the same as above, but I've reversed
the permission comment. That is, permission = 'View management screens'
I am calling InitializeClass(RestrictedFolder). I am refreshing my
product and restarting my browser with each test. Changing the
default from 'deny' to 'allow' produces almost the same result (the
only difference is in example 2 I don't get the part about the
standard error message_
I'm clearly missing something fundamental. What? I've read and
reread the Security sections of the ZDG and Zope Book, to no avail.
Thanks!
John Hunter
zope-2.7
More information about the Zope
mailing list