[Zope3-Users] understanding security

Achim Domma domma at procoders.net
Fri Apr 7 10:50:50 EDT 2006


Frank Burkhardt wrote:

>> Do I understand it right, that I do not grant a permission to a principal on a certain 
>> object instance? I only grant a permission to use a certain interface!?

> You can either grant permissions to principals (or groups/roles) globally. Those permissions
> can be used in multiple ways:
>    * To protect Views. You can only access views you have permissions for (e.g. <browser:page ...> )
>    * To protect attributes/methods of classes (*not objects*) (<class ...><required interface=...>)
>    * To define, who is allowed to modify certain attributes (<class ...><required set_schema=...> )

I can follow to this point. That's how I understand Zope security until now.

> Additionally you may grant permissions (and role memberships) on a per object (*not per class*)
> basis ( using e.g. the grant.html-View) which effects only a single object.

That's what I was looking for, but don't know how to do. For I example:

I want to let a user create an object (i.e. a message in a message 
board). All users with a certain role (i.e. Admins) should be able to 
edit the new object, but the creating user should also be able to edit 
it. So I have to give him the persmission to edit.

How can I do something like that?

regards,
Achim



More information about the Zope3-users mailing list