Re: [Zope3-Users] Permissions of a given object
Hi, On Sun, Jan 15, 2006 at 11:20:47AM -0500, Stephan Richter wrote: On Thursday 12 January 2006 08:13, Frank Burkhardt wrote: but the problem remains: canAccess returns True for all inaccessible objects. It is hard to guess where your setup is wrong. Does it not work for unit tests, ftests and/or the full application? The full application. In a browser:view I want to query my Catalog to return a list of objects: list = catalog.searchResults(content='findme') list contains a list of objects containing the word 'findme'. Now I want to filter the list to contain only obj, the current principal has access to. permitted_list=[] for obj in list: if canAccess(obj,'__call__'): permitted_list.append(obj) But there's no security proxy wrapping 'obj' s from 'list'. How do I securityproxify 'obj' before being checked by canAccess so that the result of canAccess reflects if the current principal is allowed to access 'obj' ? Maybe I'm completly wrong and there's another way to filter searchresults for objects, the user has access to? Regards, Frank ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Permissions of a given object
On Jan 17, 2006, at 10:38 AM, Frank Burkhardt wrote: Hi, On Sun, Jan 15, 2006 at 11:20:47AM -0500, Stephan Richter wrote: On Thursday 12 January 2006 08:13, Frank Burkhardt wrote: but the problem remains: canAccess returns True for all inaccessible objects. It is hard to guess where your setup is wrong. Does it not work for unit tests, ftests and/or the full application? The full application. In a browser:view I want to query my Catalog to return a list of objects: list = catalog.searchResults(content='findme') list contains a list of objects containing the word 'findme'. Now I want to filter the list to contain only obj, the current principal has access to. permitted_list=[] for obj in list: if canAccess(obj,'__call__'): permitted_list.append(obj) But there's no security proxy wrapping 'obj' s from 'list'. How do I securityproxify 'obj' before being checked by canAccess so that the result of canAccess reflects if the current principal is allowed to access 'obj' ? 1) adding a security proxy is done with zope.security.checker.ProxyFactory 2) canWrite and canAccess already do this for you: the code you list should work without modification of the sort that you describe. Maybe I'm completly wrong and there's another way to filter searchresults for objects, the user has access to? The meaning of objects a user can access varies significantly from application to application. You will probably want to optimize this filter by creating an index eventually. For some policies and questions, this might be hard to do well. We'll be releasing an index that does this sort of thing for one kind of use case soon, but it doesn't precisely match what you are doing here. You'll probably want to think about this problem for your app and see how you can index the data. Gary ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Permissions of a given object
Hi, On Tue, Jan 17, 2006 at 10:53:12AM -0500, Gary Poster wrote: [snip] The meaning of objects a user can access varies significantly from application to application. You will probably want to optimize this filter by creating an index eventually. For some policies and questions, this might be hard to do well. We'll be releasing an index that does this sort of thing for one kind of use case soon, but it doesn't precisely match what you are doing here. You'll probably want to think about this problem for your app and see how you can index the data. Even if would write an index for this - I would still need some method to check, if a given principal is allowed to access a given object. Finally, I found a solution: from zope.security.checker import ProxyFactory list=catalog.searchResults(content='findme'); permitted_list=[] for obj in list: defaultview=zapi.getDefaultViewName(obj,self.request) try: view=zapi.queryMultiAdapter((ProxyFactory(obj),self.request),name=viewname) permitted_list.append(view) except Unauthorized: Don't list this one Regards, Frank ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Permissions of a given object
On Thursday 12 January 2006 07:01, Frank Burkhardt wrote: for obj in catalog.searchResults(content=searchquery): view=zapi.queryMultiAdapter((obj,self.request),name='view.html') try: canAccess(view,'__call__') search_results.append(obj) except: object inaccessible But canAccess never fails here - even if the object is inaccessible. canAccess() returns a boolean unless there is no security declaration at all. Regards, Stephan -- Stephan Richter CBU Physics Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Permissions of a given object
Hi, On Thu, Jan 12, 2006 at 07:19:02AM -0500, Stephan Richter wrote: [snip] But canAccess never fails here - even if the object is inaccessible. canAccess() returns a boolean unless there is no security declaration at all. I changed the code fragement to for obj in catalog.searchResults(content=searchquery): view=zapi.queryMultiAdapter((obj,self.request),name='view.html') if canAccess(view,'__call__'): search_results.append(obj) else: object inaccessible but the problem remains: canAccess returns True for all inaccessible objects. Regards, Frank ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] Permissions of a given object
Hi, when I search using a catalog, I get a list of persistent objects but maybe there are objects among them, the calling user doesn't have permissions for. How do I check, if the current user (the one calling the view which queries the catalog) is allowed to view an object? How do I change permissions of a persistent object in python (not using the ZMI)? Thank you for any hint. Regards, Frank ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users