|--==> On Thu, 29 Jul 2010 20:02:11 +0800, Tim Hoffman <zutes...@gmail.com>
TH> I am currently finishing the first phase of of a project that uses bobo,
TH> and zope.component (oh and a bfg based simple cms). I have defined groups
TH> have general permissions on entity types (ie StaffMember has view and edit
TH> on the Apprentice objects) but the specific object being accessed must
TH> into the
TH> specific lecturers (instance of StaffMember) scope. ie lecturers can only
TH> view apprentices
TH> who are enrolled in a course supervised by the lecturer.
TH> In my application the i apply additional predicates on the actual
TH> check scope, but in the main the user could not actually get to an entity
TH> outside of their scope
TH> as entities are fetched via model methods, For instance the lecturer can
TH> only find apprentices
TH> via the lecturers supervised_apprentices() method. I don't blindly accept
TH> entity keys as
TH> url's get/post values.
This is indeed an interesting pattern, and effectively one I've partly
TH> So I have found the zope[2/3] model level security not necesary (in this
TH> case) though I am emulating
TH> some of the capabilities (isOwner ... at the model level.)
TH> Not saying this is what you should do, but it is working for me.
Thanks for reporting your experience, it helps, as the required security
constraints above are similar to what I have.
Repoze-dev mailing list