[Zope3-Users] Permission Question
FB
fbo2 at gmx.net
Wed Feb 7 10:23:05 EST 2007
Hi,
I've got a container, all of my users have 'zope.ManageContent' permission
in. A subobject of the container is sensitive - users must not be able to
change this object which means, I've to take away 'zope.ManageContent'
permission from all my users (except of one!) whenever context=subobject .
I tried using security-annotations which worked fine for single users:
('user-xy','zope.ManageContent',Deny)
('user-owner','zope.ManageContent',Allow)
However, this is rather impractical for 1000+ users - so I tried:
('zope.Everybody','zope.ManageContent',Deny)
('user-owner','zope.ManageContent',Allow)
- didn't work :-( .
The greater picture: I need a "Sticky-Bit"-Container. Users with
'zope.ManageContent' permission should be allowed to create (certain
kind of) objects, which will be automatically security (role-)annotated
(principal.id,'mpgsite.Owner',Allow). The 'mpgsite.Owner' role implies
some permissions - incl. 'zope.ManageContent'.
Unfortunately, 'zope.ManageContent' is inherited from the container -
granting editing rights to everyone.
Did I miss anything or is it impossible to "de-assign" a permission
based on roles/groups?
Regards,
Frank
More information about the Zope3-users
mailing list