Hi Tim, |--==> On Thu, 29 Jul 2010 20:02:11 +0800, Tim Hoffman <zutes...@gmail.com> said:
[...] TH> I am currently finishing the first phase of of a project that uses bobo, TH> repoze.what TH> and zope.component (oh and a bfg based simple cms). I have defined groups TH> that TH> have general permissions on entity types (ie StaffMember has view and edit TH> permissions TH> on the Apprentice objects) but the specific object being accessed must fall TH> into the TH> specific lecturers (instance of StaffMember) scope. ie lecturers can only TH> view apprentices TH> who are enrolled in a course supervised by the lecturer. TH> In my application the i apply additional predicates on the actual instances TH> that TH> check scope, but in the main the user could not actually get to an entity TH> outside of their scope TH> as entities are fetched via model methods, For instance the lecturer can TH> only find apprentices TH> via the lecturers supervised_apprentices() method. I don't blindly accept TH> entity keys as TH> url's get/post values. This is indeed an interesting pattern, and effectively one I've partly used myself. TH> So I have found the zope[2/3] model level security not necesary (in this TH> case) though I am emulating TH> some of the capabilities (isOwner ... at the model level.) TH> Not saying this is what you should do, but it is working for me. Thanks for reporting your experience, it helps, as the required security constraints above are similar to what I have. Cheers, Free _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
