Re: [Zope-dev] "dynamic permissions" in zope
Heinz-Josef Claes writes: > dynamic permissions It is not Zope's normal behaviour. Of cause, you could plug in a new UserFolder that implements the features you require (someone else recommended "LoginManager"). On the other hand, Zope is flexible enough to let you approximate the desired behaviour - at the expense of a bit extra work: You create a folder like ZClass for your documents. Each document goes into its own ZInstance. You ensure, that the document is not accessible directly. You give your ZClass a method "index_html". It performs your application specific security checking. If the check succeeds, it renders the document. You may need to set a proxy role for your "index_html" be able to render the document. This approach is only an approximation. It looses the fine grained permission checking during the rendering of your document. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] "dynamic permissions" in zope
Steve Alexander <[EMAIL PROTECTED]> wrote: > Steve Alexander wrote: > > > > > I believe the latest LoginManager allows you to specify what roles a > > user has, and compute these each request, based on the details of the > > request. > > > > This is probably more useful than having dynamically computed > > permissions; While I can see how a user's roles will vary according to > > where they are, what they are doing and when they are doing it, I cannot > > see why permissions need to change in that way. > > > > However, you mention that you are new to Zope. ZPatterns can be > > difficult to understand and get into. Other than the creators of > > ZPatterns, I haven't heard of anyone using this computed permissions > > system. > > What I forgot to mention: LoginManager is a Zope product that is built > using ZPatterns, another Zope product. > > When you are doing advanced things with LoginManager, you need to know > how ZPatterns works. > > There are a couple of HOWTO documents on using LoginManager. It will be > only a small change to alter the "userRoles" method that returns the > roles a user should have to calculate these roles based on other criteria. > > See these documents for information about how to set up LoginManager. > >http://www.zope.org/Members/dlpierson/sqlLogin >http://www.zope.org/Members/jok/SQL_based_LoginManager The workflow-as-finite-state-machine implementation I am working on for the PTK has similar requirements: the permission associated with a particular method (e.g., 'edit'), depends on the workflow status of the object (e.g., you need more privileges to edit the object once it has been "published"). My temporary workaround is to have each method assert the appropriate permission, as part of creating its audit trail entry. I plan to arrange for the permission-role mapping computation to be handled by the workflow tool, as well. Tres. -- === Tres Seaver[EMAIL PROTECTED] Digital Creations "Zope Dealers" http://www.zope.org ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] "dynamic permissions" in zope
Steve Alexander wrote: > > I believe the latest LoginManager allows you to specify what roles a > user has, and compute these each request, based on the details of the > request. > > This is probably more useful than having dynamically computed > permissions; While I can see how a user's roles will vary according to > where they are, what they are doing and when they are doing it, I cannot > see why permissions need to change in that way. > > However, you mention that you are new to Zope. ZPatterns can be > difficult to understand and get into. Other than the creators of > ZPatterns, I haven't heard of anyone using this computed permissions > system. What I forgot to mention: LoginManager is a Zope product that is built using ZPatterns, another Zope product. When you are doing advanced things with LoginManager, you need to know how ZPatterns works. There are a couple of HOWTO documents on using LoginManager. It will be only a small change to alter the "userRoles" method that returns the roles a user should have to calculate these roles based on other criteria. See these documents for information about how to set up LoginManager. http://www.zope.org/Members/dlpierson/sqlLogin http://www.zope.org/Members/jok/SQL_based_LoginManager -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] "dynamic permissions" in zope
Heinz-Josef Claes wrote: > > Our requrements are a permissioning system which depends on a matrix: > There are two independend qualities which describe, if a user is allowed > to see a document. This can be displayed in a matrix. Only if *both* > qualities match, the user is allowed to see it. > As far as I understand zope, it is not possible to map this directly (as > by all other systems I know). > > So my question: > Is it possible to connect a permission (or role) in zope with a method > (instead of a static flag which was set)? If it is possible, it should > be possible to call a special algorithm with this request, which can > implement whatever is needed. So, it would be (easy) possible to > *integrate* this functionality. > (I called this permissions "dynamic", because the are evaluated when > requestet.) I believe the latest LoginManager allows you to specify what roles a user has, and compute these each request, based on the details of the request. This is probably more useful than having dynamically computed permissions; While I can see how a user's roles will vary according to where they are, what they are doing and when they are doing it, I cannot see why permissions need to change in that way. However, you mention that you are new to Zope. ZPatterns can be difficult to understand and get into. Other than the creators of ZPatterns, I haven't heard of anyone using this computed permissions system. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] "dynamic permissions" in zope
Hi, I'm very new to zope and have to eximine, if it's usable for our requirements. The question I have, is very simple or perhaps very difficult, I don't know. Our requrements are a permissioning system which depends on a matrix: There are two independend qualities which describe, if a user is allowed to see a document. This can be displayed in a matrix. Only if *both* qualities match, the user is allowed to see it. As far as I understand zope, it is not possible to map this directly (as by all other systems I know). So my question: Is it possible to connect a permission (or role) in zope with a method (instead of a static flag which was set)? If it is possible, it should be possible to call a special algorithm with this request, which can implement whatever is needed. So, it would be (easy) possible to *integrate* this functionality. (I called this permissions "dynamic", because the are evaluated when requestet.) Or does anybody has another (better) idea? Any help is very apreciated, Heinz-Josef Claes [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )