[Zope-dev] Proposal: Align Zope 2 and Zope 3 permissions

Hanno Schlichting hannosch at hannosch.eu
Sun Apr 12 16:22:02 EDT 2009


Martin Aspeli wrote:
> So, here is what I'd like to propose, ideally for Zope 2.12:
> 
>   1) Use an event handler to ensure that any <permission /> declared in 
> ZCML actually creates a valid, Zope 2 permission. I have working code 
> for this here which we could put in Products.Five with ease.

+1

>   2) Emit a warning instead of an error in Five's handler for the <class 
> /> directive when set_attributes or set_schema are used.

+1

>   3) Change the Permission class in AccessControl so that it tries to 
> look up an IPermission utility and use the title of that utility as the 
> permission name, falling back on the current behaviour of using the 
> passed permission name directly.

-1

I think we should start advertising the zope.security API for this
instead. For example:

from zope.security import checkPermission
checkPermission('zope2.Private', context)

This works by looking up the current security interaction from a thread
local, which in Five's case is a FiveSecurityPolicy. This policy
delegates to the checkPermission function found in
Products.Five.security which does exactly what you want:

if (permission in ('zope.Public', 'zope2.Public') or
    permission is None or permission is CheckerPublic):
    return True

if isinstance(permission, basestring):
    permission = queryUtility(IPermission, unicode(permission))
    if permission is None:
        return False

if getSecurityManager().checkPermission(permission.title, object):
    return True

return False



More information about the Zope-Dev mailing list