[Zope] Security - View vs Access Contents

Dieter Maurer dieter@handshake.de
Wed, 18 Apr 2001 21:37:21 +0200 (CEST)


Tim Considine writes:
 > (1)  I want to set the security properties of a sub-folder to relate to=20
 > a specific user.  So I uncheck View for the anonymous user to "force" a=20
 > Zope login.  But it doesn't appear to work.  So I uncheck Access=20
 > Contents too - and it does seem to work.
 >
 > What is the difference between these 2 permissions ?
The basic Zope security machinery does not associate semantics 
with the permissions. It is up to the developer (and his sense
for consistency and semantics) to choose properly named
permissions.

I did not yet see a document that describes rules/guidelines
on how permissions are used to protect Zope methods.

 > (2)  Also I am struggling then to make Zope check the=20
 > AUTHENTICATED_USER against a property set for the folder which contains=20
 > the authorised user's initials (which are the same as login name).
What is a property set?

 > I am trying to use a standard DTML method but set individual property=20
 > elements for each sub-folder.  Is this OK as an approach ?  Or is there=20
 > a better one ?
 > 
 > My DTML code is this ... but it's clearly wrong !  [User is name or=20
 > property element set for the folder.]
 > 
 > <dtml-if expr=3D"AUTHENTICATED_USER.getUserName()=3D=3DobjectValues('User=
 > ')">
"objectValues(meta_type)" returns the contained objects of an
ObjectManager (!) with meta type "meta_type".
Never use "objectValues" for objects that are not ObjectManagers.
They define a stupid and unusable "objectValues" method.

If your folder has a property called "User", then you would
use:

   <dtml-if expr="AUTHENTICATED_USER.getUserName()=User">

If your "User" would not be a single user, but a list of
users, the following would look promissing:

   <dtml-if expr="AUTHENTICATED_USER.getUserName() in User">


Good reading for people starting to learn Zope:

       the Zope Book (-> zope.org)

and     

       URL:http://www.dieter.handshake.de/pyprojects/zope/book/chap3.html


Dieter