[Zope3-Users] Permissions of a given object

[Gary Poster]

On Jan 17, 2006, at 10:38 AM, Frank Burkhardt wrote:

> Hi,
>
> On Sun, Jan 15, 2006 at 11:20:47AM -0500, Stephan Richter wrote:
>> On Thursday 12 January 2006 08:13, Frank Burkhardt wrote:
>>> but the problem remains: canAccess returns True for all inaccessible
>>> objects.
>>
>> It is hard to guess where your setup is wrong. Does it not work  
>> for unit
>> tests, ftests and/or the full application?
>
> The full application.
>
> In a browser:view I want to query my Catalog to return a list of  
> objects:
>
>  list = catalog.searchResults(content='findme')
>
> list contains a list of objects containing the word 'findme'. Now I
> want to filter the list to contain only obj, the current principal
> has access to.
>
>  permitted_list=[]
>  for obj in list:
>     if canAccess(obj,'__call__'):
>        permitted_list.append(obj)
>
> But there's no security proxy wrapping 'obj' s from 'list'.
>
> How do I securityproxify 'obj' before being checked by canAccess so  
> that the
> result of canAccess reflects if the current principal is allowed to  
> access
> 'obj' ?

1) adding a security proxy is done with  
zope.security.checker.ProxyFactory
2) canWrite and canAccess already do this for you: the code you list  
should work without modification of the sort that you describe.

> Maybe I'm completly wrong and there's another way to filter  
> searchresults
> for objects, the user has access to?

The meaning of "objects a user can access" varies significantly from  
application to application.  You will probably want to optimize this  
filter by creating an index eventually.  For some policies and  
questions, this might be hard to do well.  We'll be releasing an  
index that does this sort of thing for one kind of use case soon, but  
it doesn't precisely match what you are doing here.  You'll probably  
want to think about this problem for your app and see how you can  
index the data.

Gary