[Zope] Deleting objects from an external method
Nikko Wolf
nikko-wolf at earthlink.net
Mon Oct 17 15:55:15 EDT 2005
Dieter Maurer wrote:
>Nikko Wolf wrote at 2005-10-14 15:37 -0600:
>
>
>>I'm trying to allow users to delete objects that have been accidentally
>>created. I have criteria for what that means, but since I *DO NOT* want
>>them to delete object except by this method, I want to avoid granting
>>"Delete objects" to them (non-Managers).
>>
>>Can this even be done? At the base level, "Delete objects" is a
>>hard-coded requirement of the ObjectManager.manage_delObjects() function.
>>
>>
>
>Usually, an "External Method" is not restricted by Zope's
>security.
>
>Unless "manage_delObjects" does not perform an additional
>internal check (I think, it does not), your "External Method"
>can use it to delete objects.
>
>
My question stemmed from the fact that (for reasons I cannot not
duplicate), I was repeatedly getting Unauthorized exceptions using the
manage_delObjects() function. Thus, I moved the functionality into an
External Method, intending to avoid the restrictions.
But even there, throughout changes too numerous to remember now, the
Unauthorized problem persisted. Then, after snooping around I found
code in zope/lib/python/OFS/ObjectManager.py that set __ac_permissions__
with an entry:
('Delete objects', ('manage_delObjects',))
... hence my thought was that the ObjectManager class had the
requirement builtin at the source code level. Even trying new security
context (created from within the External Method) did not work.
After many hours of effort and debugging, I find that it works in a
"Script (Python)" with precisely the same code that I (thought I) used
originally. Obviously, something is different, but unless it was a
subtle typo that compiled correctly and worked (but not as desired) I
cannot fathom what has changed.
>BTW: Often, it is more faster simply to try something than
>to post a question to the mailing list and wait for the answer.
>Your question above is such a case ...
>
>
Indeed, I know that well. I *had* tried a multitude of variations
before sending; and I'd originally included details in the first
posting, but deleted it before I sent it since the question seemed to
stand on its own.
Thanks anyway,
Nikko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20051017/3dc66af1/attachment.htm
More information about the Zope
mailing list