[Zope] Per-user authorization to folder using SiteAccess rules

[Andy Altepeter]

Hi All,

I have a zope folder that contains multiple documents.  Users order a
document to be created by our communications office.  That office then
uploads that word document (not through ZMI).  I want users to have
access to ONLY those documents they have ordered.  And all this needs to
be done programmatically and not through ZMI.

My first thought was to setup a SiteAccess Rule to get the current
username and see if it matches with one of their orders and the
requested word document.  But it seems that SiteAccessRules, and more
specifically __before_publishing_traverse__ occurs prior to user
authentication.  The script I was starting to write always sees the
'Anonymous User' when used as an Access Rule, but when viewed through
the ZMI, it is the current user.

Is there another way to do this?  I'm thinking that when the document is
uploaded, I set the owner to be the user that ordered it.  Then I can
set the permissions in this folder for View: ('Manager','Owner')?

Any thoughts/better ways to do this?

Thanks!
Andy