Re: [Zope3-Users] Re: how to know if a principal has the right permissions
Lorenzo Gil Sanchez wrote: El dom, 27-08-2006 a las 23:53 +0200, Philipp von Weitershausen escribió: zope.security.canAccess zope.security.canWrite Nice, I didn't know about those and I ended writing my own solution: def canAdd(self): interaction = ZopeSecurityPolicy() interaction.add(Participation(self.request.principal)) Ack. Just get the current interaction with zope.security.management.getInteraction(). With this code you're hard-wiring yourself to the security policy in zope.app.securitypolicy. return interaction.checkPermission(zope.ManageContent, self.context) I'm trying to know if the user can add an item to a container. I don't know how to do that with zope.security.canWrite. I tried with zope.security.canWrite(self.context, '__data') since my container inherits from SampleContainer and the '__data' attribute is a dictionariy like objet where the children are stored. I get a ForbiddenAttribute exception with that code. Right. Because you're not supposed to poke at __data. The two underscores should scare you off! By the way, this is a rule of thumb: Whenever you get ForbiddenAttribute errors, you're doing something wrong. Either: 1. you're missing security declarations 2. you're accessing something that purposely has no security declarations because you're not supposed to access it. Most of the times when newbies hit ForbiddenAttribute, it's #1. In your case it's #2. If you would take advantage of interfaces and look at IContainer, you would see that contianers are like mappings (=dictionaries). Therefore, in order to add something in the container, you need to be able to access the __setitem__ method. Check for that and you'll be all set. Philipp ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: how to know if a principal has the right permissions
Lorenzo Gil Sanchez wrote: Right. Because you're not supposed to poke at __data. The two underscores should scare you off! By the way, this is a rule of thumb: Whenever you get ForbiddenAttribute errors, you're doing something wrong. Either: 1. you're missing security declarations 2. you're accessing something that purposely has no security declarations because you're not supposed to access it. Most of the times when newbies hit ForbiddenAttribute, it's #1. In your case it's #2. If you would take advantage of interfaces and look at IContainer, you would see that contianers are like mappings (=dictionaries). Therefore, in order to add something in the container, you need to be able to access the __setitem__ method. Check for that and you'll be all set. Sorry, my fault: I forgot to mention that I *did try* zope.security.canWrite(obj, '__setitem__') before and it always returns False, no matter if I try with the right user. Why canWrite? You're not trying to *set* __setitem__! You should be checking for canAccess(container, '__setitem__'). People who want to add stuff to a container want to *call* container.__setitem__(...). I suggest you read up on the Python mapping API. That's why I started to poke with '__data' which I know was going to be a hack. By the way, by your rule of thumb I should not play with '__setitem__' neiter (e.g. it has four underscores). You did not understand my rule of thumb. Read the rule of thumb again and check whether it contains any mentionings of underscores. It doesn't. It's about ForbiddenAttribute errors, not underscores. And if you'd know your Python, you'd know __setitem__ is a standard mapping API method. Philipp ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: how to know if a principal has the right permissions
El lun, 28-08-2006 a las 20:49 +0200, Philipp von Weitershausen escribió: Lorenzo Gil Sanchez wrote: Right. Because you're not supposed to poke at __data. The two underscores should scare you off! By the way, this is a rule of thumb: Whenever you get ForbiddenAttribute errors, you're doing something wrong. Either: 1. you're missing security declarations 2. you're accessing something that purposely has no security declarations because you're not supposed to access it. Most of the times when newbies hit ForbiddenAttribute, it's #1. In your case it's #2. If you would take advantage of interfaces and look at IContainer, you would see that contianers are like mappings (=dictionaries). Therefore, in order to add something in the container, you need to be able to access the __setitem__ method. Check for that and you'll be all set. Sorry, my fault: I forgot to mention that I *did try* zope.security.canWrite(obj, '__setitem__') before and it always returns False, no matter if I try with the right user. Why canWrite? You're not trying to *set* __setitem__! You should be checking for canAccess(container, '__setitem__'). People who want to add stuff to a container want to *call* container.__setitem__(...). I suggest you read up on the Python mapping API. Oh! that was a stupid error indeed :( Using canAccess now just does the opposite: it always returns True. I guess that's because when I register my container in the ZCML file I'm using zope.Public for the whole interface. I should split my interface in two interfaces, one for read-only attributes and one for write attributes, like the IContainer does. So instead of inheriting my INewsFolder interface from IContainer I inherit from IReadContainer and I explicit say in the configure.zcml that it also implements IWriteContainer. That way I can specify different permission for read and write attributes. Thanks a lot for your answers Philipp Lorenzo ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: how to know if a principal has the right permissions
Lorenzo Gil Sanchez wrote: El lun, 28-08-2006 a las 20:49 +0200, Philipp von Weitershausen escribió: Lorenzo Gil Sanchez wrote: Right. Because you're not supposed to poke at __data. The two underscores should scare you off! By the way, this is a rule of thumb: Whenever you get ForbiddenAttribute errors, you're doing something wrong. Either: 1. you're missing security declarations 2. you're accessing something that purposely has no security declarations because you're not supposed to access it. Most of the times when newbies hit ForbiddenAttribute, it's #1. In your case it's #2. If you would take advantage of interfaces and look at IContainer, you would see that contianers are like mappings (=dictionaries). Therefore, in order to add something in the container, you need to be able to access the __setitem__ method. Check for that and you'll be all set. Sorry, my fault: I forgot to mention that I *did try* zope.security.canWrite(obj, '__setitem__') before and it always returns False, no matter if I try with the right user. Why canWrite? You're not trying to *set* __setitem__! You should be checking for canAccess(container, '__setitem__'). People who want to add stuff to a container want to *call* container.__setitem__(...). I suggest you read up on the Python mapping API. Oh! that was a stupid error indeed :( Using canAccess now just does the opposite: it always returns True. I guess that's because when I register my container in the ZCML file I'm using zope.Public for the whole interface. I should split my interface in two interfaces, one for read-only attributes and one for write attributes, like the IContainer does. So instead of inheriting my INewsFolder interface from IContainer I inherit from IReadContainer and I explicit say in the configure.zcml that it also implements IWriteContainer. That way I can specify different permission for read and write attributes. Or, you leave INewsFolder as it is and only use IReadContainer and IWriteContainer in the ZCML declarations. That's what I would do. If you have my book, check the Containers chapter, it's done like this there. Philipp ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
