[Zope3-Users] Security Question

Frank Burkhardt fbo2 at gmx.net
Sun Apr 23 07:31:20 EDT 2006


Hi,

On Sat, Apr 22, 2006 at 05:06:15PM -0500, Jachin Rupe wrote:
> hi there
> 
> Is there a good example out there of setting up security based on some
> sort of ownership system?
> 
> I'm working my way though the Zope book.  What I would like to be able to
> do is allow the User who created a message to edit only "their" messages
> (the messages they created).  I think I've read all the relevant chapters
> of the Zope book and I can't find a place where it explains that.  Did I
> miss is somewhere?

I'm going to implement "object ownership", too. My idea is to assign a role
membership to the user (e.g. 'mysite.Owner') using annotated
per-object-security information (see
zope.app.securitypolicy.interfaces.IPrincipalRoleManager).

I might need a special permission ('mysite.OwnerAccess') which is
ZCML-<grant>ed to the 'mysite.Owner' role and used in all the views
I want' to be owner-only.

The role will be assigned on object creation - I'm not sure, if I can use
an event to do so because the request object will be needed to know the
creating principal. In any case it should be possible to assign the role
in the content object's __init__() method.

hth

Regards,

Frank


More information about the Zope3-users mailing list