[Zope] Deleting objects from an external method

Nikko Wolf nikko-wolf at earthlink.net
Mon Oct 17 15:55:15 EDT 2005


Dieter Maurer wrote:

>Nikko Wolf wrote at 2005-10-14 15:37 -0600:
>  
>
>>I'm trying to allow users to delete objects that have been accidentally 
>>created.  I have criteria for what that means, but since I *DO NOT* want 
>>them to delete object except by this method, I want to avoid granting 
>>"Delete objects" to them (non-Managers).
>>
>>Can this even be done?  At the base level, "Delete objects" is a 
>>hard-coded requirement of the ObjectManager.manage_delObjects() function.
>>    
>>
>
>Usually, an "External Method" is not restricted by Zope's
>security.
>
>Unless "manage_delObjects" does not perform an additional
>internal check (I think, it does not), your "External Method"
>can use it to delete objects.
>  
>
My question stemmed from the fact that (for reasons I cannot not 
duplicate), I was repeatedly getting Unauthorized exceptions using the 
manage_delObjects() function.   Thus, I moved the functionality into an 
External Method, intending to avoid the restrictions.

But even there, throughout changes too numerous to remember now,  the 
Unauthorized problem persisted.  Then, after snooping around I found 
code in zope/lib/python/OFS/ObjectManager.py that set __ac_permissions__ 
with an entry:
        ('Delete objects',     ('manage_delObjects',))

... hence my thought was that the ObjectManager class had the 
requirement builtin at the source code level.   Even trying new security 
context (created from within the External Method) did not work.

After many hours of effort and debugging, I find that it works in a 
"Script (Python)" with precisely the same code that I (thought I) used 
originally.  Obviously, something is different, but unless it was a 
subtle typo that compiled correctly and worked (but not as desired) I 
cannot fathom what has changed.

>BTW: Often, it is more faster simply to try something than
>to post a question to the mailing list and wait for the answer.
>Your question above is such a case ...
>  
>
Indeed, I know that well.   I *had* tried a multitude of variations 
before sending; and I'd originally included details in the first 
posting, but deleted it before I sent it since the question seemed to 
stand on its own.

Thanks anyway,
Nikko

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20051017/3dc66af1/attachment.htm


More information about the Zope mailing list