[Zope3-Users] Re: how to know if a principal has the
right permissions
Philipp von Weitershausen
philipp at weitershausen.de
Mon Aug 28 14:35:10 EDT 2006
Lorenzo Gil Sanchez wrote:
> El dom, 27-08-2006 a las 23:53 +0200, Philipp von Weitershausen
> escribió:
>
>> zope.security.canAccess
>> zope.security.canWrite
>
> Nice, I didn't know about those and I ended writing my own solution:
>
> def canAdd(self):
> interaction = ZopeSecurityPolicy()
> interaction.add(Participation(self.request.principal))
Ack. Just get the current interaction with
zope.security.management.getInteraction(). With this code you're
hard-wiring yourself to the security policy in zope.app.securitypolicy.
> return interaction.checkPermission("zope.ManageContent",
> self.context)
>
> I'm trying to know if the user can add an item to a container. I don't
> know how to do that with zope.security.canWrite. I tried with
>
> zope.security.canWrite(self.context, '__data')
>
> since my container inherits from SampleContainer and the '__data'
> attribute is a dictionariy like objet where the children are stored. I
> get a ForbiddenAttribute exception with that code.
Right. Because you're not supposed to poke at __data. The two
underscores should scare you off!
By the way, this is a rule of thumb:
Whenever you get ForbiddenAttribute errors, you're doing something
wrong. Either:
1. you're missing security declarations
2. you're accessing something that purposely has no security
declarations because you're not supposed to access it.
Most of the times when newbies hit ForbiddenAttribute, it's #1. In your
case it's #2.
If you would take advantage of interfaces and look at IContainer, you
would see that contianers are like mappings (=dictionaries). Therefore,
in order to add something in the container, you need to be able to
access the __setitem__ method. Check for that and you'll be all set.
Philipp
More information about the Zope3-users
mailing list