[Zope-PAS] Re: struggling with Local Role plugin - followup question
Wichert Akkerman [EMAIL PROTECTED] writes: Use a dynamic group. Wichert. Wichert, I successfully created a IGroupsPlugin, and I'm now succesfully able to grant/deny access to a specific object by using the request.PUBLISHED attribute to examine the attributes of the object. If the stars align (so to speak) I add the user to a group which has the appropriate permissions to view the object. But I'm still stumped as to how to make this work for catalog queries, folder contents, etc, as it doesn't appear that my groups plugin gets called for catalog query results.Is there some additional logic I can add to my plugin? If I could make this work I'd be forever grateful (and so would my customer). Thanks again, Stan ___ Zope-PAS mailing list [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-pas
[Zope-PAS] Re: struggling with Local Role plugin
a quick way to check this and roles in general, is put together a python
script that shows the users roles and permissions in context, as a quick
example, here's one i use on occassion (check_roles).. and just invoke by
in the url after the context, by appending check_roles.
member = context.portal_membership.getAuthenticatedMember()
print uid, member.getId()
print email, member.getProperty('fullname'), member.getProperty('email')
print groups, member.getGroups()
print roles context, member.getRolesInContext( context )
print perm reply, context.portal_membership.checkPermission('Reply to
item', context)
print perm add, context.portal_membership.checkPermission('Add portal
content', context)
print perm modify, context.portal_membership.checkPermission('Modify
portal content', context)
print discuss, context.portal_discussion.isDiscussionAllowedFor(context)
return printed
hth,
kapil
Thanks, Kapil. I'll give it a try. I have a feeling I may be wasting my time
anyway, as I don't see any way to have the dynamic roles be applied for catalog
queries. In other words, if I have object A and object B in the same folder,
and user1 can access object A but not B based on the external condition, user1
should see A but not B in a folder listing, search, navigation, etc. Is there
amy way at all to implement this functionality?
Thanks again,
Stan
___
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas
[Zope-PAS] Re: struggling with Local Role plugin
a quick way to check this and roles in general, is put together a python
script that shows the users roles and permissions in context, as a quick
example, here's one i use on occassion (check_roles).. and just invoke by
in the url after the context, by appending check_roles.
member = context.portal_membership.getAuthenticatedMember()
print uid, member.getId()
print email, member.getProperty('fullname'), member.getProperty('email')
print groups, member.getGroups()
print roles context, member.getRolesInContext( context )
print perm reply, context.portal_membership.checkPermission('Reply to
item', context)
print perm add, context.portal_membership.checkPermission('Add portal
content', context)
print perm modify, context.portal_membership.checkPermission('Modify
portal content', context)
print discuss, context.portal_discussion.isDiscussionAllowedFor(context)
return printed
hth,
kapil
Kapil, I'm close. My goal is to make objects inaccessible if the user doesn't
have the correct dynamic permission. So for objects that the user can't see,
they have no view permission. For objects that they can see, the user gets a
role called DYNAMIC with the view and access contents information
permission. Using your script, I see the following:
roles context ['Member', 'Authenticated', 'DYNAMIC']
access contents 1
view 1
But if I add the following line to your script:
print title, context.Title()
Verbose Security reports the following:
Access to 'Creator' denied ... Access requires one of the
following roles: ['DYNAMIC', 'Manager', 'Owner', 'Reviewer'].
Your roles in this context are ['Authenticated', 'Member'].
What am I missing? Is there some other object that is being accessed, or is
there some other permission other than 'View' and 'Access Contents Information'
that needs to be given?
Thanks very much for your help!
___
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas
Re: [Zope-PAS] Re: struggling with Local Role plugin
Previously Stan McFarland wrote:
a quick way to check this and roles in general, is put together a python
script that shows the users roles and permissions in context, as a quick
example, here's one i use on occassion (check_roles).. and just invoke by
in the url after the context, by appending check_roles.
member = context.portal_membership.getAuthenticatedMember()
print uid, member.getId()
print email, member.getProperty('fullname'), member.getProperty('email')
print groups, member.getGroups()
print roles context, member.getRolesInContext( context )
print perm reply, context.portal_membership.checkPermission('Reply to
item', context)
print perm add, context.portal_membership.checkPermission('Add portal
content', context)
print perm modify, context.portal_membership.checkPermission('Modify
portal content', context)
print discuss, context.portal_discussion.isDiscussionAllowedFor(context)
return printed
hth,
kapil
Thanks, Kapil. I'll give it a try. I have a feeling I may be wasting my time
anyway, as I don't see any way to have the dynamic roles be applied for
catalog
queries. In other words, if I have object A and object B in the same folder,
and user1 can access object A but not B based on the external condition,
user1
should see A but not B in a folder listing, search, navigation, etc. Is
there
amy way at all to implement this functionality?
Use a dynamic group.
Wichert.
--
Wichert Akkerman [EMAIL PROTECTED]It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
___
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas
[Zope-PAS] Re: struggling with Local Role plugin
Wichert Akkerman [EMAIL PROTECTED] writes: Use a dynamic group. Wichert. Wichert, Thanks for the response. I can see where there's some similarity in the notion of adding a role to a user dynamically and adding a user to a group dynamically, assuming that the group has the requisite roles. But my problem (and maybe I wasn't clear about this before) is that the condition that determines access is based on both an external condition and an attribute of the object itself, which is why was trying to make this work with local roles. I didn't think that the object was available from the role or group plugins, but if I'm wrong, please let me know. Actually, maybe I should rephrase my problem, and see if you have a suggestion. Basically, I need to set up a security model such that access to a given object requires a combination of roles. For example, I might have an object that would be labeled Alpha, Beta, Gamma, and a user must possess, at a minimum, all three roles to be able to see the object. I could implement this with 2**n - 1 roles, so I would have 7 roles and a separate workflow state for each role - not too bad. The problem is one of scale - if I have 6 labels, I end up with 63 workflow states. So instead, I was trying to use the labels as object attributes and adding roles at runtime. Does this make sense? Any advice you could give would be greatly appreciated. Thanks again, Stan ___ Zope-PAS mailing list Zope-PAS@zope.org http://mail.zope.org/mailman/listinfo/zope-pas
