[Zope-CMF] [dev] CMF 1.4 alpha

Florent Guillaume fg@nuxeo.com
Tue, 25 Feb 2003 20:08:24 +0000 (UTC) 

Please let's discuss the available solutions first, and not check in
something just a few days before a release.

So let's *specify* what we want. From what I see, what's needed is a way
to control from the type itself which users are allowed to create
instances. This has to be
1. enforced when invokeFactory is called
2. very importantly too, queriable so that the UI can display available types

Existing code checks for the "View" permission (by an ugly hack using
Title BTW) on the type information object (TI) to mean that users are
allowed to view instances.

To be coherent, we could check for "Add portal Content" on the TI to
mean that users are allowed to create instances. No need to add a new
permission. We just have to ensure the proposed one doesn't have any
unwanted effect on the TI object itself.

And no need to use getSecurityManager.validate() on some dummy method
for that, _checkPermission is fine.

As the UI can easily check permissions (folder_contents does it
already), I think 2. is covered also.

Florent


David Harvey (Hamish) <david.harvey@bristol.ac.uk> wrote:
> -=-=-=-=-=-
> 
> On Thursday 20 Feb 2003 10:42 am, Yuppie wrote:
> 
> > <http://collector.zope.org/CMF/114>
> > Restriction of content type addition based upon user roles (ie: user x
> > can enter types y and z).
> > (ChrisW ?)
> >
> 
> I've got a patch that might do this. It seems to work for me, but I've been 
> running with a monkey patch doing the same thing for a while, so this isn't a 
> reasonable test. It's possibly a bit crude. It's a reworking as a direct 
> patch against CMFCore of the monkey patch on which ChrisW's suggestion was 
> based, so should conform exactly to that in terms of behaviour, with the 
> exception that the permission name became "Add content instances".
> 
> I tried to add it as a followup to http://collector.zope.org/CMF/114 but keep 
> getting a login screen. Perhaps I can only follow up my own submissions.  
> It's only wee, so I attach it here.
> 
> Cheers,
> Hamish
> 
> -=-=-=-=-=-
> 
> Index: CMFCorePermissions.py
> ===================================================================
> RCS file: /cvs-repository/CMF/CMFCore/CMFCorePermissions.py,v
> retrieving revision 1.12
> diff -u -r1.12 CMFCorePermissions.py
> --- CMFCorePermissions.py	10 Dec 2002 21:44:39 -0000	1.12
> +++ CMFCorePermissions.py	20 Feb 2003 10:54:00 -0000
> @@ -81,6 +81,9 @@
>  AddPortalContent = 'Add portal content'
>  setDefaultRoles(AddPortalContent, ('Owner','Manager',))  # + Member
>  
> +AddContentInstances = 'Add content instances'
> +setDefaultRoles( AddContentInstances, ( 'Owner', 'Manager', 'Member',))
> +
>  AddPortalMember = 'Add portal member'
>  setDefaultRoles(AddPortalMember, ('Anonymous', 'Manager',))
>  
> Index: TypesTool.py
> ===================================================================
> RCS file: /cvs-repository/CMF/CMFCore/TypesTool.py,v
> retrieving revision 1.47
> diff -u -r1.47 TypesTool.py
> --- TypesTool.py	6 Jan 2003 20:37:06 -0000	1.47
> +++ TypesTool.py	20 Feb 2003 10:54:00 -0000
> @@ -32,6 +32,7 @@
>  from CMFCorePermissions import View
>  from CMFCorePermissions import ManagePortal
>  from CMFCorePermissions import AccessContentsInformation
> +from CMFCorePermissions import AddContentInstances
>  
>  from interfaces.portal_types import ContentTypeInformation as ITypeInformation
>  from interfaces.portal_types import portal_types as ITypesTool
> @@ -451,6 +452,12 @@
>      #
>      #   Agent methods
>      #
> +    security.declareProtected(AddContentInstances, '_testCreationPermission')
> +    def _testCreationPermission(self):
> +        # Dummy method on which to test AddContentInstances
> +        # permission before allowing creation of content
> +        pass
> +
>      def _getFactoryMethod(self, container):
>          if not self.product or not self.factory:
>              raise ValueError, ('Product factory for %s was undefined' %
> @@ -460,7 +467,8 @@
>          if m is None:
>              raise ValueError, ('Product factory for %s was invalid' %
>                                 self.getId())
> -        if getSecurityManager().validate(p, p, self.factory, m):
> +        if getSecurityManager().validate(p, p, self.factory, m) \
> +            and getSecurityManager().validate(self, self,
> '_testCreationPermission', self._testCreationPermission):
>              return m
>          raise Unauthorized, ('Cannot create %s' % self.getId())
>  
> @@ -475,7 +483,8 @@
>              try:
>                  # validate() can either raise Unauthorized or return 0 to
>                  # mean unauthorized.
> -                if getSecurityManager().validate(p, p, self.factory, m):
> +                if getSecurityManager().validate(p, p, self.factory, m) \
> +                    and getSecurityManager().validate(self, self,
> '_testCreationPermission', self._testCreationPermission):
>                      return m
>              except Unauthorized:
>                  pass
> 
> -=-=-=-=-=-


-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com