[Zope3-Users] Re: how to know if a principal has the right permissions

Philipp von Weitershausen philipp at weitershausen.de
Mon Aug 28 15:27:49 EDT 2006


Lorenzo Gil Sanchez wrote:
> El lun, 28-08-2006 a las 20:49 +0200, Philipp von Weitershausen
> escribió:
>> Lorenzo Gil Sanchez wrote:
>>>> Right. Because you're not supposed to poke at __data. The two
>>>> underscores should scare you off!
>>>>
>>>> By the way, this is a rule of thumb:
>>>>
>>>> Whenever you get ForbiddenAttribute errors, you're doing something
>>>> wrong. Either:
>>>>
>>>>   1. you're missing security declarations
>>>>
>>>>   2. you're accessing something that purposely has no security
>>>>      declarations because you're not supposed to access it.
>>>>
>>>> Most of the times when newbies hit ForbiddenAttribute, it's #1. In your
>>>> case it's #2.
>>>>
>>>> If you would take advantage of interfaces and look at IContainer, you
>>>> would see that contianers are like mappings (=dictionaries). Therefore,
>>>> in order to add something in the container, you need to be able to
>>>> access the __setitem__ method. Check for that and you'll be all set.
>>>>
>>> Sorry, my fault: I forgot to mention that I *did try*
>>> zope.security.canWrite(obj, '__setitem__') before and it always returns
>>> False, no matter if I try with the right user.
>> Why canWrite? You're not trying to *set* __setitem__! You should be
>> checking for canAccess(container, '__setitem__'). People who want to add
>> stuff to a container want to *call* container.__setitem__(...). I
>> suggest you read up on the Python mapping API.
>>
> 
> Oh! that was a stupid error indeed :(
> 
> Using canAccess now just does the opposite: it always returns True. I
> guess that's because when I register my container in the ZCML file I'm
> using zope.Public for the whole interface. I should split my interface
> in two interfaces, one for read-only attributes and one for write
> attributes, like the IContainer does.
> 
> So instead of inheriting my INewsFolder interface from IContainer I
> inherit from IReadContainer and I explicit say in the configure.zcml
> that it also implements IWriteContainer. That way I can specify
> different permission for read and write attributes.

Or, you leave INewsFolder as it is and only use IReadContainer and
IWriteContainer in the ZCML declarations. That's what I would do. If you
have my book, check the Containers chapter, it's done like this there.

Philipp



More information about the Zope3-users mailing list