[Zope3-Users] Permission Question

FB fbo2 at gmx.net
Wed Feb 7 10:23:05 EST 2007


Hi,

I've got a container, all of my users have 'zope.ManageContent' permission
in. A subobject of the container is sensitive - users must not be able to
change this object which means, I've to take away 'zope.ManageContent'
permission from all my users (except of one!) whenever context=subobject .

I tried using security-annotations which worked fine for single users:
  ('user-xy','zope.ManageContent',Deny)
  ('user-owner','zope.ManageContent',Allow)

However, this is rather impractical for 1000+ users - so I tried:
  ('zope.Everybody','zope.ManageContent',Deny)
  ('user-owner','zope.ManageContent',Allow)
 - didn't work :-( .

The greater picture: I need a "Sticky-Bit"-Container. Users with
'zope.ManageContent' permission should be allowed to create (certain
kind of) objects, which will be automatically security (role-)annotated
(principal.id,'mpgsite.Owner',Allow). The 'mpgsite.Owner' role implies
some permissions - incl. 'zope.ManageContent'.
Unfortunately, 'zope.ManageContent' is inherited from the container -
granting editing rights to everyone.

Did I miss anything or is it impossible to "de-assign" a permission
based on roles/groups?

Regards,

Frank


More information about the Zope3-users mailing list