[Zope-CMF] Allow Manager to edit properties of other users

Kevin Carlson khcarlso@bellsouth.net
Mon, 2 Dec 2002 09:55:53 -0500


Tom,

I've often thought that myself but I think the line of reasoning is with
private methods you cannot make a permissions "mistake" that might cause
repercussions with a critical method such as this setMemberProperties.  If
you make the method private and thus restrict access to the method to anyone
with file system access, you're fairly safe.

Not saying I totally agree, but I understand the logic behind it.  That
said, you can always alter the source and restart Zope to allow protected
access to the method.

Kevin

-----Original Message-----
From: Tom Cameron [mailto:tomcameron@optusnet.com.au]
Sent: Monday, December 02, 2002 3:15 AM
To: Kevin Carlson
Cc: zope-cmf@zope.org
Subject: RE: [Zope-CMF] Allow Manager to edit properties of other users


Kevin Carlson wrote on Monday, 2 December 2002 9:01 AM:
=> You'll have to do this in an external method.  Also, you might
=> want to take
=> advantage of the _changeUser method in acl_users in that
=> external method's
=> code.  I am doing both of these and it works fine.  Here is the
=> script I am
=> using:
=>
=> -------------------------------------------
=> from Products.CMFCore import utils
=> from AccessControl import User
=>
=> def edituserhandler(ns, username, request) :
=>     pm = utils.getToolByName(ns, 'portal_membership')
=>     member = pm.getMemberById(username)
=>     member.setMemberProperties(request)
=>     password = request.get('password')
=>     confirm = request.get('confirm')
=>     roles = request.get('role')
=>     domains = request.get('domains')
=>     md = ns.acl_users._changeUser(username, password, confirm, roles,
=> domains, request)
=>     return md
=>

Kevin,
Thanks for this, just want I wanted, I assume 'ns' is the portal object.

It does seem a little weird to me that this method is private, I reckon it
should be
     declareProtected('Manage users','setMemberProperties')
so that anybody with the proper manger rights could use it. I wonder if that
should be a suggestion?

Tom