[Zope3-Users] questions on the security framework

Leeuw van der, Tim tim.leeuwvander at nl.unisys.com
Mon Jan 3 12:30:15 EST 2005


I know very little about z3, but if IAnnouncement is a sub-interface of IMessage (ITopic), then you can perhaps just not allow normal users the right to add / create Announcements? That's the step before __setitem__ takes place.

Or am I totally off-base?



-----Original Message-----
From: zope3-users-bounces at zope.org [mailto:zope3-users-bounces at zope.org]On Behalf Of Sven Schomaker
Sent: Thursday, December 30, 2004 11:18 AM
To: zope3-users at zope.org
Subject: [Zope3-Users] questions on the security framework

Hash: SHA1

Hello dear list people,

I'm currently about to evaluate z3 to be able
to suit the needs I face in a wider project
that is about to be started out by me.

So far z3 seems quite promising but there are
still some questions to be solved before being
able to assure (almost) risk-free use of z3 and
I hope you are able to answer some of my questions
(or at least give me a hint about where to look
about for answers).

To get somewhat familiar with the new z3
framework I read the z3 book and started out
to code the message board in an slightly extended
fashion. Now that I'm on the job to implement
some fancy security system on the message board
I'm admittedly stuck a bit and wonder how to do it.

So here is what I intend to do:
- -----------------------------------------

A message board can contain announcements
and topics. Topics are actually nothing more
than renamed messages and can contain replies.

Moderators/Managers are supposed to be able
to post announcements. Valid users of the
message board should be able to post topics,
messages and replies (at this point it doesn't
seem to matter how they become valid users).

If a message/topic gets posted, it is submitted
to the moderator and gets rejected or approved,
i.e. messages are subject to a specific workflow.

And here are my questions:
- --------------------------------------

Since the message board is a container and the
framework uses __setitem__ to add new objects
to the container, how would one distinguish the
permissions to add an announcement from the
permission to add a topic with zcml or with
explicit python coding.

Another question is about involving the workflow
into the security system. As I was able to determine
there is the possibility to configure permissions
to cause state transitions using zcml. Thats fine
so far, but how would one restrict e.g. the ability
to modify messages once they have been submitted,
i.e. bind the permissions on content-objects to a
specific workflow state?

The next question is whether there is something
like a build in role for the owner of an object or
if there is the notion of ownership at all? For me
this seems to be necessary if one would only grant
permissions to modify an object if he/she is the owner
of that particular object as it has been done in z2.

And last but not least is there the concept of local
roles like it has been in z2?

So far so good, many questions, quite a lot of text
and a good hope that somebody can give me a hint.

Great thanks in advance and a happy new year
to all of you

Sven Schomaker

- --
__________________Addressed by:_________________

Dipl.-Inf. (FH) Sven Holger Cochise Schomaker

Linie M - Metall Form Farbe - GmbH
Industriestraße 8
63674 Altenstadt (Hessen)

Tel.: +49 6047 97 121
~      +49 179  14 79 309

Mail: sven.schomaker at linie-m.de
~      sven.schomaker at gmx.de

Public Key: hkp://blackhole.pca.dfn.de
~            hkp://pgp.mit.edu

Key ID: D581185EFF60FEA0

Key fingerprint: 28FB 599C 4591 D200 BC69
~                 EB88 D581 185E FF60 FEA0

Version: GnuPG v1.2.4 (GNU/Linux)


Zope3-users mailing list
Zope3-users at zope.org

More information about the Zope3-users mailing list