[Zope] Security question: looking up constructor permission

Jean Jordaan jean at upfrontsystems.co.za
Fri Apr 9 03:06:33 EDT 2004


Hi all ..

.. my brain needs a nudge again. I need to fetch an object
from the ZODB subject to security checks. This doesn't work:

   result = [self.restrictedTraverse(p.getPath()) for p in proxies]

because for a path such as '/app/container/object' the user
might have access to 'object' without having access to
'container'. I think this will work:

   user = self.REQUEST.AUTHENTICATED_USER
   for p in in proxies:
     o = p.getObject())
     if user.has_permission(permission_name, o):
       result.append(o)

but I don't know where to find 'permission_name'. It's the
permission registered for the class at __init__ time:

         context.registerClass(
             class_instance,
             permission = 'Add %s' % classname,
             constructors = getConstructor(module, class_instance)
         )

Any hints?
-- 
Jean Jordaan
http://www.upfrontsystems.co.za




More information about the Zope mailing list