[Zope3-Users] How to allow one user to access only his object

Naotoshi Seo sonots at sonots.com
Fri Oct 21 08:06:32 EDT 2005 

Hi.

> class MessageTraverser:
> 
>     implements(IPublishTraverse)
>     __used_for__ = IMessage
> 
>     def publishTraverse(self, request, name):
>         if name == 'edit.html':
>             # verify password and return a message or raise NotFoundError.

How do I pass POSTed value to publishTraverse's request?

<zope:view
       for=".IMessageBoard"
       type="zope.publisher.interfaces.browser.IBrowserRequest"
       factory=".MessageBoardTraverser"
       provides="zope.publisher.interfaces.browser.IBrowserPublisher"
       permission="zope.Public"
       />

from zope.publisher.interfaces import NotFound
from zope.app import zapi
from zope.app.container.traversal import ContainerTraverser
class MessageBoardTraverser(ContainerTraverser):

     __used_for__ = IMessageBoard

     def publishTraverse(self, request, name):
         if name == 'edit.html':
             subob = self._guessTraverse(request, name)
             if subob is not None:
                view = zapi.queryView(subob, name, request)
                if view is not None:
                    return view
             raise NotFound(self.context, name, request)

         view = zapi.queryView(self.context, name, request)
         if view is not None:
             return view
         raise NotFound(self.context, name, request)

     def _guessTraverse(self, request, name):
         msgs = IMessageBoard(self.context).items()
         passwd = request['field.passwd']
         for name, msg in msgs:
             if passwd == msg.passwd:
                 return msg
         return None
-----------
   <pages
       ....
       class=".modulename.Classname"
       ....
       >
     <page
         name="password.html"
         template="password.pt"
         />
     <page
        name="whatever"
        attribute="post"
        />

class Classname(object):

     def post(self):
         nexturl = './edit.html'
         self.request.response.redirect(nexturl)

At this post method, do I redirect to a URL like 
./edit.html?field.passwd=KDJFKJA ? It is not cool. Are there any ways?

Furthermore, returning object in publishTraverse() did not work. I had 
to create a view like zapi.queryView(subob, name, request). Why? Am I 
missing something?

Furthermore, can I prohibit users to access directly as 
http://localhost:8080/messageboardobject/messageobject/edit.html? It 
looks I have to keep open this URL so that Traverser can open this. But, 
if this is possible, nothing was changed from before.

More information about the Zope3-users mailing list