[Zope] confused on permissions and roles

Roché Compaan roche at upfrontsystems.co.za
Thu Jul 1 02:52:57 EDT 2004


John Hunter wrote:
>>>>>>"John" == John Hunter <jdhunter at ace.bsd.uchicago.edu> writes:
> 
> 
>     John> I have a class that inherits from RoleManager (via Folder).
>     John> It defined additional roles, including 'Administrator'.  I
>     John> would like the Administrator to be able to view management
>     John> screens and create objects of certain types, but not be able
>     John> to delete or rename objects of certain types.
> 
> A followup - I've learned a bit more and realized I made a mistake in
> the code I posted so I want to focus my question.
> 
> Goal: allow authenticated users with Role 'Administrator' or 'Manager'
>       to access the manage_main screen of my instance, but disallow
>       non-authenticated users or users with other roles.
> 
> I've learned that ClassSecurityInfo supersedes __ac_permissions__, so
> I'm focusing my energies here
> 
> In the example below, RestrictedFolder derives from Folder
> 
> Example 1: I can access manage_main w/o no passwd authentication.  I
>            want to be prompted for passwd and given access if user has
>            role Administrator or Manager
> 
>     class Workflow(RestrictedFolder):
>         """
>         The base folder
>         """
>         meta_type="Workflow"
> 
>         __ac_roles__=('Manager', 'Administrator', 'Researcher', 'Reviewer')
> 
>         #permission = 'View management screens'
>         permission = 'View'
>         roles = ('Manager', 'Administrator')
>         security = ClassSecurityInfo()
>         security.setDefaultAccess('deny')
> 
>         def __init__(self, id=None):
>             # snip
>             pass
> 
>         security.setPermissionDefault(permission, roles)
>         security.declareProtected(permission, 'manage_main')
>         def manage_main(self, *args, **kwargs):
>             'does this need to be overridden to have security apply to it?'
>             return RestrictedFolder.manage_main(self, *args, **kwargs)
>     InitializeClass(Workflow)
> 
> Example 2: a user with Role Administrator cannot access manage_main,
>            the following error is produced (passwd is correct for this
>            user)
> 
>     You are not authorized to access this resource.
> 
>     Username and password are not correct. (Also, an error occurred
>     while attempting to render the standard error message.)
> 
> In this example, the code is the same as above, but I've reversed
> the permission comment.  That is, permission = 'View management screens'
> 
> I am calling InitializeClass(RestrictedFolder).  I am refreshing my
> product and restarting my browser with each test.  Changing the
> default from 'deny' to 'allow' produces almost the same result (the
> only difference is in example 2 I don't get the part about the
> standard error message_
> 
> I'm clearly missing something fundamental.  What?

You got the first part right and that is making security declarations on 
your class, but you still have to specify security on the folder 
instance by going to the security tab and giving 'Administrator' the 
required permissions or writing code that does this automatically when 
you create the folder.

I think you are misunderstanding what __ac_roles__ mean - this only 
provides pre-defined role names.

-- 
Roché Compaan
Upfront Systems                 http://www.upfrontsystems.co.za


More information about the Zope mailing list