[Zope-PAS] struggling with Local Role plugin
Hi, I have what I think is a fairly simple use case for my Plone site. I want to be able to add a local role dynamically based on two factors - the content of the object, and a given external condition. So I've written a local role plugin, where getRolesInContext() checks these two factors and returns either an empty list or a list containing one item - the new role. This seems to work well. It's the checkLocalRolesAllowed() method I'm having problem with. My logic looks like: if object has specific content: if external condition is true: return 1 else: return None return None From looking at the PlonePAS code, it appears that the PloneUser class iterates through all of the LocalRole plugins, and continues until one of the plugins returns something other than None. But what happens is that the user is still denied access to the object. If I change the last return to 1, the user can access the object, but naturally gets access to everything else as well. Am I missing some basic logic here? Thanks, Stan McFarland ___ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas
[Zope-PAS] Re: struggling with Local Role plugin
a quick way to check this and roles in general, is put together a python script that shows the users roles and permissions in context, as a quick example, here's one i use on occassion (check_roles).. and just invoke by in the url after the context, by appending check_roles. member = context.portal_membership.getAuthenticatedMember() print uid, member.getId() print email, member.getProperty('fullname'), member.getProperty('email') print groups, member.getGroups() print roles context, member.getRolesInContext( context ) print perm reply, context.portal_membership.checkPermission('Reply to item', context) print perm add, context.portal_membership.checkPermission('Add portal content', context) print perm modify, context.portal_membership.checkPermission('Modify portal content', context) print discuss, context.portal_discussion.isDiscussionAllowedFor(context) return printed hth, kapil Thanks, Kapil. I'll give it a try. I have a feeling I may be wasting my time anyway, as I don't see any way to have the dynamic roles be applied for catalog queries. In other words, if I have object A and object B in the same folder, and user1 can access object A but not B based on the external condition, user1 should see A but not B in a folder listing, search, navigation, etc. Is there amy way at all to implement this functionality? Thanks again, Stan ___ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas
[Zope-PAS] Re: struggling with Local Role plugin
a quick way to check this and roles in general, is put together a python script that shows the users roles and permissions in context, as a quick example, here's one i use on occassion (check_roles).. and just invoke by in the url after the context, by appending check_roles. member = context.portal_membership.getAuthenticatedMember() print uid, member.getId() print email, member.getProperty('fullname'), member.getProperty('email') print groups, member.getGroups() print roles context, member.getRolesInContext( context ) print perm reply, context.portal_membership.checkPermission('Reply to item', context) print perm add, context.portal_membership.checkPermission('Add portal content', context) print perm modify, context.portal_membership.checkPermission('Modify portal content', context) print discuss, context.portal_discussion.isDiscussionAllowedFor(context) return printed hth, kapil Kapil, I'm close. My goal is to make objects inaccessible if the user doesn't have the correct dynamic permission. So for objects that the user can't see, they have no view permission. For objects that they can see, the user gets a role called DYNAMIC with the view and access contents information permission. Using your script, I see the following: roles context ['Member', 'Authenticated', 'DYNAMIC'] access contents 1 view 1 But if I add the following line to your script: print title, context.Title() Verbose Security reports the following: Access to 'Creator' denied ... Access requires one of the following roles: ['DYNAMIC', 'Manager', 'Owner', 'Reviewer']. Your roles in this context are ['Authenticated', 'Member']. What am I missing? Is there some other object that is being accessed, or is there some other permission other than 'View' and 'Access Contents Information' that needs to be given? Thanks very much for your help! ___ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas
Re: [Zope-PAS] Re: struggling with Local Role plugin
Previously Stan McFarland wrote: a quick way to check this and roles in general, is put together a python script that shows the users roles and permissions in context, as a quick example, here's one i use on occassion (check_roles).. and just invoke by in the url after the context, by appending check_roles. member = context.portal_membership.getAuthenticatedMember() print uid, member.getId() print email, member.getProperty('fullname'), member.getProperty('email') print groups, member.getGroups() print roles context, member.getRolesInContext( context ) print perm reply, context.portal_membership.checkPermission('Reply to item', context) print perm add, context.portal_membership.checkPermission('Add portal content', context) print perm modify, context.portal_membership.checkPermission('Modify portal content', context) print discuss, context.portal_discussion.isDiscussionAllowedFor(context) return printed hth, kapil Thanks, Kapil. I'll give it a try. I have a feeling I may be wasting my time anyway, as I don't see any way to have the dynamic roles be applied for catalog queries. In other words, if I have object A and object B in the same folder, and user1 can access object A but not B based on the external condition, user1 should see A but not B in a folder listing, search, navigation, etc. Is there amy way at all to implement this functionality? Use a dynamic group. Wichert. -- Wichert Akkerman [EMAIL PROTECTED]It is simple to make things. http://www.wiggy.net/ It is hard to make things simple. ___ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas
[Zope-PAS] Re: struggling with Local Role plugin
Wichert Akkerman [EMAIL PROTECTED] writes: Use a dynamic group. Wichert. Wichert, Thanks for the response. I can see where there's some similarity in the notion of adding a role to a user dynamically and adding a user to a group dynamically, assuming that the group has the requisite roles. But my problem (and maybe I wasn't clear about this before) is that the condition that determines access is based on both an external condition and an attribute of the object itself, which is why was trying to make this work with local roles. I didn't think that the object was available from the role or group plugins, but if I'm wrong, please let me know. Actually, maybe I should rephrase my problem, and see if you have a suggestion. Basically, I need to set up a security model such that access to a given object requires a combination of roles. For example, I might have an object that would be labeled Alpha, Beta, Gamma, and a user must possess, at a minimum, all three roles to be able to see the object. I could implement this with 2**n - 1 roles, so I would have 7 roles and a separate workflow state for each role - not too bad. The problem is one of scale - if I have 6 labels, I end up with 63 workflow states. So instead, I was trying to use the labels as object attributes and adding roles at runtime. Does this make sense? Any advice you could give would be greatly appreciated. Thanks again, Stan ___ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas