[Zope-DB] setting up user privileges

Dieter Maurer dieter at handshake.de
Thu Sep 29 14:39:24 EDT 2005

Marvin Calingacion wrote at 2005-9-29 21:30 +0800:
>I would like to ask for some advice and tips on how to set-up
>user-privileges on the site I made with Zope. These privileges will be based
>on some sections of a given page while others will require a whole page.
>-> Page 1
>- Section/Module 1
>- Section/Module 2
>-> Page 2
>- Section/Module 1
>- Section/Module 2
>As I read the manual/book, I found that Zope has its own mechanism of
>setting securities/privileges even creating groups with its own set of
>rights on the site but I am not able to comprehend how to apply such with my
>site. Hope to hear one from you.

While you did not understand the Zope book, I did not understand
what you want to achieve...

I will try to help you understand the basic principles:

   Zope is an object oriented systems. What you essentially
   do in such a system is calling methods.

   Some methods (in fact most of them) do sensitve things.
   You want the protect their call (to protect your system).
   Zope introduces so called permissions to protect methods.

   A permission is just a (hopefully speaking) name, e.g. "View".
   A given permission can be used to protect zero, one or more
   methods. A given method can be protected by a single permission.

   When a method is protected by permission "P", then
   the user calling the method must have permission "P".
   Otherwise, an "Unauthorized" exception is raised.

   How does a user gets a permission "P"?
   This does not happen directly but via so called
   A role is again just a (hopefully speaking) name, e.g. "Manager".
   A user can have a set of global roles (maintained
   in the UserFolder).
   Furthermore, he can get additional roles in subhierarchies.
   These are called (somewhat wrong) "local roles" (roles
   valid not globally but only in a local context).

   With respect to a given object (and the calls of its methods),
   a user has a set of roles on this object: his global
   roles and the local roles in effect at this object.

   Finally, there is the "permission to role" mapping, managed
   in the "Permissions" tab of each object.
   There you specify for each permission which roles should
   be granted the permission. You can also specify whether
   grants from higher up in the hierarchy should be acquired
   or ignored. You can say for example that the permission "View"
   should be granted to the role "Manager".

   Now, the picture is complete.
   When a user wants to call a method of object "o" protected by
   permission "P", Zope will check whether the user as on
   "o" a roles for which the permission "P" is granted.

How do you play with this setup:

   Usually, the permissions and the methods they protect
   are fixed (unless you create new methods and permissions
   that protect them). Thus, you do not play with these.

   Instead, you play with roles (define new ones, if necessary),
   and assign them to users, either globally or locally in different
   parts of your site (--> "local roles").

   Furthermore, you adjust the "permission to role" mapping
   in such a way, that a user can (based on its roles) precisely
   call the methods you want him to be able to call (and not the others).


More information about the Zope-DB mailing list