[Zope3-Users] public view on a private object
Marius Gedminas
mgedmin at b4net.lt
Thu Dec 20 06:20:15 EST 2007
On Wed, Dec 19, 2007 at 10:56:49PM +0200, Marius Gedminas wrote:
> On Wed, Dec 19, 2007 at 08:32:02PM +0100, Lorenzo Gil Sanchez wrote:
> > - Why do I have to define permissions for a view if I already
> > configured the same permissions for the class? The view should always
> > have more restrictive permissions that the content type class or is
> > there any use case for the opposite?
>
> The view doesn't know the permission of the content class. Note that
> your view is registered on IMyContent, and not on MyContent directly.
> You might register more than one content class implementing IMyContent,
> and register different permissions.
>
> Another thing -- you might protect different attributes with different
> permissions, and the view directive cannot be smart enough to analyse
> all your source code and page templates to see which of those content
> attributes you want to use in this particular view.
Actually, that doesn't matter in practice -- you can have a public view
on a protected content object, and Zope will do the right thing -- ask
the user to authenticate. In effect the view gets the more restrictive
permissions automatically, the only difference is that the checking
happens not during the traversal to the view, but while rendering the
view.
Only you discovered a bug where protecting __name__/__parent__ too
strongly makes this automation break down.
Marius Gedminas
--
We have an advanced scalable groupware communication environment (email)
-- Alan Cox
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.zope.org/pipermail/zope3-users/attachments/20071220/4b0cd64e/attachment.bin
More information about the Zope3-users
mailing list