Re: [Zope3-Users] Re: how to know if a principal has the right permissions
Lorenzo Gil Sanchez wrote: El dom, 27-08-2006 a las 23:53 +0200, Philipp von Weitershausen escribió: zope.security.canAccess zope.security.canWrite Nice, I didn't know about those and I ended writing my own solution: def canAdd(self): interaction = ZopeSecurityPolicy() interaction.add(Participation(self.request.principal)) Ack. Just get the current interaction with zope.security.management.getInteraction(). With this code you're hard-wiring yourself to the security policy in zope.app.securitypolicy. return interaction.checkPermission(zope.ManageContent, self.context) I'm trying to know if the user can add an item to a container. I don't know how to do that with zope.security.canWrite. I tried with zope.security.canWrite(self.context, '__data') since my container inherits from SampleContainer and the '__data' attribute is a dictionariy like objet where the children are stored. I get a ForbiddenAttribute exception with that code. Right. Because you're not supposed to poke at __data. The two underscores should scare you off! By the way, this is a rule of thumb: Whenever you get ForbiddenAttribute errors, you're doing something wrong. Either: 1. you're missing security declarations 2. you're accessing something that purposely has no security declarations because you're not supposed to access it. Most of the times when newbies hit ForbiddenAttribute, it's #1. In your case it's #2. If you would take advantage of interfaces and look at IContainer, you would see that contianers are like mappings (=dictionaries). Therefore, in order to add something in the container, you need to be able to access the __setitem__ method. Check for that and you'll be all set. Philipp ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: how to know if a principal has the right permissions
Lorenzo Gil Sanchez wrote: Right. Because you're not supposed to poke at __data. The two underscores should scare you off! By the way, this is a rule of thumb: Whenever you get ForbiddenAttribute errors, you're doing something wrong. Either: 1. you're missing security declarations 2. you're accessing something that purposely has no security declarations because you're not supposed to access it. Most of the times when newbies hit ForbiddenAttribute, it's #1. In your case it's #2. If you would take advantage of interfaces and look at IContainer, you would see that contianers are like mappings (=dictionaries). Therefore, in order to add something in the container, you need to be able to access the __setitem__ method. Check for that and you'll be all set. Sorry, my fault: I forgot to mention that I *did try* zope.security.canWrite(obj, '__setitem__') before and it always returns False, no matter if I try with the right user. Why canWrite? You're not trying to *set* __setitem__! You should be checking for canAccess(container, '__setitem__'). People who want to add stuff to a container want to *call* container.__setitem__(...). I suggest you read up on the Python mapping API. That's why I started to poke with '__data' which I know was going to be a hack. By the way, by your rule of thumb I should not play with '__setitem__' neiter (e.g. it has four underscores). You did not understand my rule of thumb. Read the rule of thumb again and check whether it contains any mentionings of underscores. It doesn't. It's about ForbiddenAttribute errors, not underscores. And if you'd know your Python, you'd know __setitem__ is a standard mapping API method. Philipp ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: how to know if a principal has the right permissions
El lun, 28-08-2006 a las 20:49 +0200, Philipp von Weitershausen escribió: Lorenzo Gil Sanchez wrote: Right. Because you're not supposed to poke at __data. The two underscores should scare you off! By the way, this is a rule of thumb: Whenever you get ForbiddenAttribute errors, you're doing something wrong. Either: 1. you're missing security declarations 2. you're accessing something that purposely has no security declarations because you're not supposed to access it. Most of the times when newbies hit ForbiddenAttribute, it's #1. In your case it's #2. If you would take advantage of interfaces and look at IContainer, you would see that contianers are like mappings (=dictionaries). Therefore, in order to add something in the container, you need to be able to access the __setitem__ method. Check for that and you'll be all set. Sorry, my fault: I forgot to mention that I *did try* zope.security.canWrite(obj, '__setitem__') before and it always returns False, no matter if I try with the right user. Why canWrite? You're not trying to *set* __setitem__! You should be checking for canAccess(container, '__setitem__'). People who want to add stuff to a container want to *call* container.__setitem__(...). I suggest you read up on the Python mapping API. Oh! that was a stupid error indeed :( Using canAccess now just does the opposite: it always returns True. I guess that's because when I register my container in the ZCML file I'm using zope.Public for the whole interface. I should split my interface in two interfaces, one for read-only attributes and one for write attributes, like the IContainer does. So instead of inheriting my INewsFolder interface from IContainer I inherit from IReadContainer and I explicit say in the configure.zcml that it also implements IWriteContainer. That way I can specify different permission for read and write attributes. Thanks a lot for your answers Philipp Lorenzo ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: how to know if a principal has the right permissions
Lorenzo Gil Sanchez wrote: El lun, 28-08-2006 a las 20:49 +0200, Philipp von Weitershausen escribió: Lorenzo Gil Sanchez wrote: Right. Because you're not supposed to poke at __data. The two underscores should scare you off! By the way, this is a rule of thumb: Whenever you get ForbiddenAttribute errors, you're doing something wrong. Either: 1. you're missing security declarations 2. you're accessing something that purposely has no security declarations because you're not supposed to access it. Most of the times when newbies hit ForbiddenAttribute, it's #1. In your case it's #2. If you would take advantage of interfaces and look at IContainer, you would see that contianers are like mappings (=dictionaries). Therefore, in order to add something in the container, you need to be able to access the __setitem__ method. Check for that and you'll be all set. Sorry, my fault: I forgot to mention that I *did try* zope.security.canWrite(obj, '__setitem__') before and it always returns False, no matter if I try with the right user. Why canWrite? You're not trying to *set* __setitem__! You should be checking for canAccess(container, '__setitem__'). People who want to add stuff to a container want to *call* container.__setitem__(...). I suggest you read up on the Python mapping API. Oh! that was a stupid error indeed :( Using canAccess now just does the opposite: it always returns True. I guess that's because when I register my container in the ZCML file I'm using zope.Public for the whole interface. I should split my interface in two interfaces, one for read-only attributes and one for write attributes, like the IContainer does. So instead of inheriting my INewsFolder interface from IContainer I inherit from IReadContainer and I explicit say in the configure.zcml that it also implements IWriteContainer. That way I can specify different permission for read and write attributes. Or, you leave INewsFolder as it is and only use IReadContainer and IWriteContainer in the ZCML declarations. That's what I would do. If you have my book, check the Containers chapter, it's done like this there. Philipp ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] Re: how to know if a principal has the right permissions
Lorenzo Gil Sanchez wrote: Hello, I have a INewsItem content type that anonynmous users can see but only editors can create/edit/remove. I have a view which list all my news items. I want to show links from this view to the add, edit and remove views for every news item but only if the principal is an editor. So, from my ListNewsView class I want to make a method called 'canEdit' and in the ZPT for that view I can write something like: a href=./edit.html tal:condition=view/canEditChange news .../a The question is: how do I know if the current principal has permission for a specific view? Something like: def canEdit(self): ppal = self.request.principal return canView('edit', INewsItem, ppal) zope.security.canAccess zope.security.canWrite Philipp ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users