Hi, I'm having some difficulties with view_execution_permitted. I'm writing a traversal based application.
I a view of the root container i generate a list of all subobjects the
actual user has permission to view (permission to visit the default view
for the subobject.)
ret = {}
ret['vereine'] = []
for vobj in context.getClubs() :
if view_execution_permitted(vobj, request) :
entry = { 'Link': request.resource_url(vobj)
, 'Name': vobj.clubname
, 'Object': vobj
}
ret['vereine'].append(entry)
As you see, view_execution_permitted is called with the subobject as
context an the actual request to provide access to registry etc.
view_execution_permitted calls the method _permitted of the view with
context and request. But here comes the problem.
The subobject has its own set of groups. And the callback would return
them if called with the correct context, but
request.authn_policy.effective_principals doesn't get the context given
to _permitted so it can only work on the with the context in the request
which in this case is the root object and not the subobject with the
groups definition. So only the principals on the root container are
returned and the permission check against the acl of the subobject fails.
I don't see a solution without changing pyramid as the context loss is
in the _permitted method in pyramid/config/views.py. So even a different
authentication Policy wouldn't fix this problem, as the context loss
already happened.
Maybe I'm doing the whole thing wrong and there is a better way to do this.
Regards
Estartu
--
---------------------------------------------------------------------------
Gerhard Schmidt | http://www.augusta.de/~estartu |
Fischbachweg 3 | | PGP Public Key
86856 Hiltenfingen | JabberID: [email protected] | on request
Germany | |
signature.asc
Description: OpenPGP digital signature
