Re: [Zope-dev] ZCatalog - hiding query results
Igor Stroh writes: > > That means, users that don't have the permission > to "View" or "Access Content Information" can see the brains as well... You can look how the CMF (Content Management Framework) solves this problem. Look for "allowedRolesAndUsers" and the implicit query extension for users without special privileges (in the CatalogTool). Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog - hiding query results
On Sat, Nov 10, 2001 at 10:33:09PM +0100, abel deuring wrote: > I had exactly the same problem and solved it this way: > > 1. define a method 'catalog_permission' in the classes of the objects > that will be indexed: [...] > 2. define a new Catalog class, with a newly defined method > searchResults: [...] > A more reliable implemetation should make sure that only those objects > are indexed, which define a method catalog_permission. Or > Catalog.catalogObject could be overloaded to automatically build the > information to be thrown into the catalog_permission index. Abel, the code helps a lot, but only if you have unique role-names... Consider following situation: o 5 organisations, each one has a folder at the "root" - level o the most stuff in these folders is accessible by any authenticated user i.e. no special roles required o each folder contains a extra folder that is accessible only to users which have the OrganisationMember role (the role is assigned as soon as the user tries to access the contents of the protected subfolder and authenticates himself succefully, the uniqueness of this role is garanteed by an LDAP tree, a user gets the OrganisationMember role only if he is in the right organisation) Now the real problem is, the role is called OrganisationMember (or s.th. like that) _everywhere_, so the catalog_permission KeywordIndex returns a list of roles that are allowed to "View" or "Access Content Information" on the specified object, but if the role is called everywhere the same (OrganisationMember), I can't restrict the result set to show only "allowed" objects because if a user is authenticated in another organisation he'll get the OrganisationMember role and I can't check the permission by specifying the catalog_permission index as AUTHENTICATED_USER.getRoles() anymore... I could trick this behaviour by defining differently called roles for all organisations but that's kind of "static", I'd like the system to be "dynamic"... Anyway, thanks for the code, now I have a "base" I can work on :) greetings, Igor ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog - hiding query results
Igor Stroh wrote:
>
> Hi all,
>
> I don't know if it's the right list to post to, but I have the following
> problem:
> I have several objects (documents, folders etc) that are accessible only
> by a certain user role, this objects are cataloged. Now if I query the
> catalog the brains of these objects are returned correctly, but to _all_
> users that issue a query. That means, users that don't have the permission
> to "View" or "Access Content Information" can see the brains as well...
> I tried to filter the result set by converting the brains into real
> objects (brain.getObject) in an external method (I thought, this way I
> should be able to exclude unauthorized users by adding the
> "skip_unauthorized" to the dtml-in), but that doesn't work
> since there are "brains" that are actually NoBrainer instances...
>
> Does anyone have an idea of how I could solve this problem?
> Actually I thought this kind of "information hiding" is supported by basic
> ZCatalog machinery, but now it looks like I'll have to hack a
> workaround...
>
> Any help greatly appreciated.
Igor,
I had exactly the same problem and solved it this way:
1. define a method 'catalog_permission' in the classes of the objects
that will be indexed:
from AccessControl.PermissionRole import rolesForPermissionOn
class someClass(Folder):
def catalog_permission(self):
""" return: Liste der roles, die die permissions 'View',
'Access Content Information" sowie "view archivDoc" haben
"""
l1 = rolesForPermissionOn('View', self)
if type(l1) == type(''):
l1 = [l1, ]
l2 = rolesForPermissionOn('Access contents information', self)
if type(l2) == type(''):
l2 = [l2, ]
res = []
for x in l1:
if x in l2:
res.append(x)
return res
2. define a new Catalog class, with a newly defined method
searchResults:
from Products.ZCatalog.ZCatalog import ZCatalog
from AccessControl import getSecurityManager
class ACatalog(ZCatalog):
def searchResults(self, REQUEST=None, used=None, **kw):
""" """
roles = getSecurityManager().getUser().getRoles()
if REQUEST is not None:
REQUEST['catalog_permission'] = roles
elif kw != {}:
kw['catalog_permission'] = roles
else:
self.REQUEST['catalog_permission'] = roles
return ZCatalog.searchResults(self, REQUEST, used, **kw)
3. Add a keyword index 'catalog_permission' to the ACatalog instance.
(Ok, that could be done automatically in ACatalog.__init__ , but I was
too lazy to write that...)
A more reliable implemetation should make sure that only those objects
are indexed, which define a method catalog_permission. Or
Catalog.catalogObject could be overloaded to automatically build the
information to be thrown into the catalog_permission index.
Abel
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog - hiding query results
Igor Stroh wrote: > Hi all, > > I don't know if it's the right list to post to, but I have the following > problem: > I have several objects (documents, folders etc) that are accessible only > by a certain user role, this objects are cataloged. Now if I query the > catalog the brains of these objects are returned correctly, but to _all_ > users that issue a query. That means, users that don't have the permission > to "View" or "Access Content Information" can see the brains as well... Look at the catalog tool in the CMF. It does what you want. However, I don't know how well it works outside of the CMF. -- Steve Alexander Software Engineer Cat-Box limited ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
