[Zope] Security question: looking up permission protecting a class

Jean Jordaan jean at upfrontsystems.co.za
Tue Apr 13 05:56:53 EDT 2004


Hi Sandor

Thanks for the reply.

> AFAIK restrictedTraverse(path) checks roles on every step of the path.
> It uses the __role__ attribute of the object.

Yup, that's the problem.

Here's what I ended up doing::

   result = []
   for p in self.Catalog({'meta_type': meta_type, prop_name: value}):
     obj = p.getObject()
     permission = obj.__ac_permissions__[0][0]
     if self.REQUEST.AUTHENTICATED_USER.has_permission(permission, obj):
       result.append(obj)

That 'obj.__ac_permissions__[0][0]' looks dog-ugly to me. I'm
sure there must be a better way.

 > You may want to have a look at the declareObject* methods:
 > http://zope.org/Documentation/Books/ZDG/current/Security.stx#3-45

My objects are already protected:
     security.declareObjectProtected('View Customer')
but this only helps when the user is browsing to the object through
the web, or when I use 'restrictedTraverse' or another security-
checker explicitly, as above.

The 'obj.__ac_permissions__[0][0]' lookup returns the permission
specified by the 'declareObjectProtected' call on the class.

-- 
Jean Jordaan
http://www.upfrontsystems.co.za
     /training   <-- Zope/Plone training!




More information about the Zope mailing list