[Zope] Defining my own security

Matt Hamilton matth at netsight.co.uk
Fri Apr 30 09:55:15 EDT 2004



> Okay, here goes...
>
> I have created a Zope Product that extends a Zope Folder object and I
want to add a non-traditional security check before allowing users to
"View" stuff in the "folder".  For reasons that are too complicated to
explain here, I can't use Zope roles and permissions for this check (in
fact, this check should be done in addition to Zope's existing security
mechanism checks).  What I want to do is verify that a particular
variable in the "Session" matches a specific property of the "folder".
If it does not match, I want to raise an unauthorized error.
>
> Is this kind of thing possible?  Any help will be appreciated.

Steve,
  Yes this kind of thing is possible.  The main question is what exactly
you want to protect.  ie. is it a method call on that object (e.g.
objectValues).

The general code would be something like:

from zExceptions import Unauthorized
data = REQUEST.SESSION['my_session_var']
if data != self.myproperty:
  raise Unauthorized('<strong>You are not authorized to access this
resource.</strong>')


The more difficult question is where exactly in your code to put this.  If
you want to protect the access of object within the folder, then I think
you will need to put it in __getitem__ somewhere.  However I do remember
talking to someone else about this and one of the methods like that
overrides the security, or swallows the exception or something.  You may
have to play areound with it, or try putting it in __bobo_traverse__

-Matt

-- 
Matt Hamilton                                         matth at netsight.co.uk
Netsight Internet Solutions, Ltd.          Business Vision on the Internet
http://www.netsight.co.uk                               +44 (0)117 9090901
Web Design | Zope/Plone Development and Consulting | Co-location | Hosting






More information about the Zope mailing list