[Zope] - how to validate access to an object, part 2

Simon Michael simon@joyful.com
Tue, 5 Jan 1999 07:59:12 -0800


I'm close, but still not there. I'm sure it will turn out to be simple. Can
any zope guru suggest a solution ?

I wrote:
> My search form uses an external method which is similar to
> FindSupport.PrincipiaFind(). It has one problem - it lists [file objects]
> for which the user does not have view permission.

To recap, I want my find form/method to list only objects for which the user
has view permission, like #tree does with the "skip_unauthorized" attribute.

I saw that #in also has a skip_unauthorized attribute. So I tried using this
in the dtml which displays the find results - no effect, it still lists all
the file objects.

Another dtml approach - in the results list I tried:
<!--#var expr="_.getattr(_['sequence-item'],'id')()"-->
and this does raise an authorization error at the appropriate time (ie when
listing an unauthorized object). I want to skip those objects, not cause an
exception. So..

I've tried calling validate(), and I've tried calling careful_getattr in the
find method, but only get TypeErrors and an unhelpful traceback. Debugging
has been... an adventure.. :-\ I will send some notes on this.

Here's the essence of my find method:

def ExtranetFind(self,
                 obj,
                 obj_searchterm=None,
                 obj_days=0,
                 search_sub=0,
                 REQUEST=None,
                 result=None,
                 pre=''):
    """extranet find function, based on PrincipiaFind"""
...
    base=obj
    if hasattr(obj, 'aq_base'):
        base=obj.aq_base
...
    for id, ob in base.objectItems():

        # skip this object if user should not have access to it
        md=TemplateDict()
        md.validate = REQUEST.AUTHENTICATED_USER.validate
        try: d['getattr'](md,ob,'title') #<-- cannot find right syntax
        except: continue

        <check other search criteria>
        <append to results if match>


-Simon