[Zope] Deleting objects from an external method

Mon Oct 17 18:21:48 EDT 2005

Chris Withers wrote:

> Nikko Wolf wrote:
>
>>
>> I'm trying to allow users to delete objects that have been 
>> accidentally created.  I have criteria for what that means, but since 
>> I *DO NOT* want them to delete object except by this method, I want 
>> to avoid granting "Delete objects" to them (non-Managers).
>
>
> Have the "delete process" done in a python script or external method.
> Only give "view" permission to that method to people who you want to 
> be able to delete objects.
>
> If it's a python script, give it a Proxy role that has the "Delete 
> objects" permission mapped, and you'll be fine :-)

That was my expectation too, but alas -- it does not work for me.   Have 
you specifically tried this?

==== Set up:
  - Plone Site with "Delete objects" permission granted only to Manager 
(not inheriting privs)
  - (Plone) Folder "abc" with an object "xyz" under the Plone Site 
(inheriting privs)
  - The following "Script (Python)" named "nuke" and with "Manager" 
proxy role.
  - Non Manager user
  - Load URL:  {plone-root}/abc/xyz/nuke

==== Browser shows: 
Insufficient Privileges

You do not have sufficient privileges to view this page. If you believe 
you are receiving this message in error, please send an e-mail to"

==== The events.log shows:
2005-10-17T16:16:34 ERROR(200) SiteError 
http://localhost:8080/PloneRoot/abc/xyz/nuke
Traceback (most recent call last):
  File "/usr/local/zope/lib/python/ZPublisher/Publish.py", line 101, in 
publish
    request, bind=1)
  File "/usr/local/zope/lib/python/ZPublisher/mapply.py", line 88, in mapply
    if debug is not None: return debug(object,args,context)
  File "/usr/local/zope/lib/python/ZPublisher/Publish.py", line 39, in 
call_object
    result=apply(object,args) # Type s<cr> to step into published object.
  File "/usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py", line 
306, in __call__
    return self._bindAndExec(args, kw, None)
  File "/usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py", line 
343, in _bindAndExec
    return self._exec(bound_data, args, kw)
  File 
"/usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py", 
line 324, in _exec
    result = f(*args, **kw)
  File "Script (Python)", line 16, in mlt
  File "/usr/local/zinstance/Products/CMFPlone/PloneFolder.py", line 
306, in manage_delObjects
    raise Unauthorized, (
Unauthorized: Do not have permissions to remove this object

==== The script is:
## Script (Python) "nuke"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=
##title=My Test Script
##
from Products.PythonScripts.standard import html_quote

objid  = context.getId()
folder = context.aq_inner.aq_parent
mylog  = folder.plone_log

#####
## DELETION CRITERIA CHECKS OMITTED
####

# So, now we delete it...
member = context.portal_membership.getAuthenticatedMember()
mylog( "%s deletes (%s) from (%s)" %\
      (member.id, context.absolute_url(), folder.absolute_url()))

resp = folder.manage_delObjects( [objid] )

mylog( "folder.{%s}.manage_delObjects(['%s'] = {%s}\nCTX=%s" %
       (folder.absolute_url(), objid,
       folder.dumpIt( resp ), folder.absolute_url()))
mylog( "Remaining: " + str(folder.objectIds()) )

# Set 'text' for the portal_status_message
text = "No exceptions deleting '%s'" % objid
if objid in folder.objectIds():
    text += " / ID is still there"
else:
    text += " / ID is gone"
if context in folder.objectValues():
    text += " / OBJECT is still there"
else:
    text += " / OBJECT is gone"

context.REQUEST.RESPONSE.redirect( folder.absolute_url() +
                                   '?portal_status_message=' +
                                   html_quote(text))