[Zope3-Users] PAU, how to grant roles to groups
FB
fbo2 at gmx.net
Fri Sep 8 05:55:47 EDT 2006
On Fri, Sep 08, 2006 at 10:12:34AM +0400, Denis Shaposhnikov wrote:
> >>>>> "Stephan" == Stephan Richter <srichter at cosmos.phy.tufts.edu> writes:
>
> Stephan> You cannot grant permissions via ZCML to principals that are
> Stephan> located in the ZODB. You have to use the "Grant" view of the
> Stephan> folder for this.
>
> Oh, that's a bad news. Am I right that Zope3 have principals either
> ZODB or ZCML?
Principals in Zope3 are identified by simple text strings (e.g.
zope.Manager). When a request is processed by the zope server, it tries to
find a IAuthentication utility which has a method to provide credentials
(username, password) returning a principal object which is not persistent
(-> changing attributes on that object wont affect anything after that
request).
Problem ist: When the ZCML-tree is parsed, any <grant>-statement tries to verify,
if a given principal exists. This verification fails for principals provided
by a a PAU- or another Site-Manager-registered IAuthentication utility.
If you want to assign a permission to a principal for the whole zodb, just
do that for the root folder and it will be inherited down the traverse path.
Example:
from zope.app.securitypolicy.interfaces import IPrincipalPermissionManager
from zope.app import zapi
root=zapi.getRoot(context)
ppm=IPrincipalPermissionManager(root)
ppm.grantPermissionToPrincipal('zope.ManageContent','my.principal')
The permission-principal-assignment is stored as a simple text-tuple - there's no
check for validity of wither the principal's or the permission's id.
Regards,
Frank
More information about the Zope3-users
mailing list