On 4/26/06, Bernd Dorn <[EMAIL PROTECTED]> wrote: > > On 27.04.2006, at 02:44, Jeff Shell wrote: > > > So I spent the day writing an IAuthenticator utility that loads > > principals out of an RDBMS (via a SQLAlchemy mapper based model). I > > got that working. All I want right now is to have my site, > > 'presenters', have view access restricted to the role > > 'app.Presenters'. > > > > The site is persistent and the authenticator is a local utility. I set > > up the site on load to disallow the 'zope.View' and > > 'zope.app.dublincore.view' (not really needed, I guess, since I'm not > > using dublin core anywhere) for the 'zope.Anonymous' role, and allow > > it for 'app.Presenters' and 'zope.Manager'. It's just a simple / > > blanket security policy, I know. But something similar has been in > > place on the Zope 2 based version of this app for a number of years > > now and has worked fine for this use case. > > > > But.. I have no idea how to do this in Zope 3 land. It took me all day > > to write my authenticator, At the end of the day I saw it working in > > so far as it obviously retrieved a user record out of the database, > > validated the password, and returned a dirt simple principal object. I > > could tell this by the login form giving me a different message this > > time ("you're not allowed to do that operation"). I tried looking at > > the Principal-Role map and... I don't understand it. > > just plug your own implementation in > > <adapter factory=".your.security.RoleMapImplementation" > > provides="zope.app.securitypolicy.interfaces.IPrincipalRoleMap" > for=".interfaces.IYourSiteOrSo" > trusted="true" > /> > > just for granting local roles on the site it's inough to implement > > > > def getRolesForPrincipal(principal_id): > > """Get the roles granted to a principal. > > > > Return the list of (role id, setting) assigned or removed from > > this principal. > > > > If no roles have been assigned to > > this principal, then the empty list is returned. > > """ > > but you have to set your authenticator somewhere, so that you can see > if the principal is from your authenticator by comparing ids
Thanks for the response. After some snooping around tonight, I was suspecting that'd be the option to use. But then I decided to try using IGroupedPrincipal instead. So now when my site configurator sets up this particular site/app, it: - Denies permission 'zope.View' to role 'zope.Anybody' - Grants permission 'zope.View' to principal 'presenter.group' My authenticator recognizes that and returns an IGroup. All of the presenters returned have a groups attribute with the value ['presenter.group']. Seems to work so far, and I'm breathing a sigh of relief tonight. Sure beats hoping I don't mess up an IPrincipalRoleMap when I've got so much other work to do and am so far behind as it is. Wheee, life! -- Jeff Shell _______________________________________________ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users