[Zope3-Users] Re: how to know if a principal has the
right permissions
Lorenzo Gil Sanchez
lgs at sicem.biz
Mon Aug 28 14:44:31 EDT 2006
El lun, 28-08-2006 a las 20:35 +0200, Philipp von Weitershausen
escribió:
> Ack. Just get the current interaction with
> zope.security.management.getInteraction(). With this code you're
> hard-wiring yourself to the security policy in zope.app.securitypolicy.
>
Thanks, that's good to know.
> Right. Because you're not supposed to poke at __data. The two
> underscores should scare you off!
>
> By the way, this is a rule of thumb:
>
> Whenever you get ForbiddenAttribute errors, you're doing something
> wrong. Either:
>
> 1. you're missing security declarations
>
> 2. you're accessing something that purposely has no security
> declarations because you're not supposed to access it.
>
> Most of the times when newbies hit ForbiddenAttribute, it's #1. In your
> case it's #2.
>
> If you would take advantage of interfaces and look at IContainer, you
> would see that contianers are like mappings (=dictionaries). Therefore,
> in order to add something in the container, you need to be able to
> access the __setitem__ method. Check for that and you'll be all set.
>
Sorry, my fault: I forgot to mention that I *did try*
zope.security.canWrite(obj, '__setitem__') before and it always returns
False, no matter if I try with the right user.
That's why I started to poke with '__data' which I know was going to be
a hack. By the way, by your rule of thumb I should not play with
'__setitem__' neiter (e.g. it has four underscores).
Lorenzo
More information about the Zope3-users
mailing list