Marvin Calingacion wrote at 2005-9-29 21:30 +0800: >I would like to ask for some advice and tips on how to set-up >user-privileges on the site I made with Zope. These privileges will be based >on some sections of a given page while others will require a whole page. > >Example: > >-> Page 1 >- Section/Module 1 >- Section/Module 2 > >-> Page 2 >- Section/Module 1 >- Section/Module 2 > >As I read the manual/book, I found that Zope has its own mechanism of >setting securities/privileges even creating groups with its own set of >rights on the site but I am not able to comprehend how to apply such with my >site. Hope to hear one from you.
While you did not understand the Zope book, I did not understand what you want to achieve... I will try to help you understand the basic principles: Zope is an object oriented systems. What you essentially do in such a system is calling methods. Some methods (in fact most of them) do sensitve things. You want the protect their call (to protect your system). Zope introduces so called permissions to protect methods. A permission is just a (hopefully speaking) name, e.g. "View". A given permission can be used to protect zero, one or more methods. A given method can be protected by a single permission. When a method is protected by permission "P", then the user calling the method must have permission "P". Otherwise, an "Unauthorized" exception is raised. How does a user gets a permission "P"? This does not happen directly but via so called roles. A role is again just a (hopefully speaking) name, e.g. "Manager". A user can have a set of global roles (maintained in the UserFolder). Furthermore, he can get additional roles in subhierarchies. These are called (somewhat wrong) "local roles" (roles valid not globally but only in a local context). With respect to a given object (and the calls of its methods), a user has a set of roles on this object: his global roles and the local roles in effect at this object. Finally, there is the "permission to role" mapping, managed in the "Permissions" tab of each object. There you specify for each permission which roles should be granted the permission. You can also specify whether grants from higher up in the hierarchy should be acquired or ignored. You can say for example that the permission "View" should be granted to the role "Manager". Now, the picture is complete. When a user wants to call a method of object "o" protected by permission "P", Zope will check whether the user as on "o" a roles for which the permission "P" is granted. How do you play with this setup: Usually, the permissions and the methods they protect are fixed (unless you create new methods and permissions that protect them). Thus, you do not play with these. Instead, you play with roles (define new ones, if necessary), and assign them to users, either globally or locally in different parts of your site (--> "local roles"). Furthermore, you adjust the "permission to role" mapping in such a way, that a user can (based on its roles) precisely call the methods you want him to be able to call (and not the others). -- Dieter _______________________________________________ Zope-DB mailing list Zope-DB@zope.org http://mail.zope.org/mailman/listinfo/zope-db