Igor Stroh wrote: > > Hi all, > > I don't know if it's the right list to post to, but I have the following > problem: > I have several objects (documents, folders etc) that are accessible only > by a certain user role, this objects are cataloged. Now if I query the > catalog the brains of these objects are returned correctly, but to _all_ > users that issue a query. That means, users that don't have the permission > to "View" or "Access Content Information" can see the brains as well... > I tried to filter the result set by converting the brains into real > objects (brain.getObject) in an external method (I thought, this way I > should be able to exclude unauthorized users by adding the > "skip_unauthorized" to the dtml-in), but that doesn't work > since there are "brains" that are actually NoBrainer instances... > > Does anyone have an idea of how I could solve this problem? > Actually I thought this kind of "information hiding" is supported by basic > ZCatalog machinery, but now it looks like I'll have to hack a > workaround... > > Any help greatly appreciated.
Igor, I had exactly the same problem and solved it this way: 1. define a method 'catalog_permission' in the classes of the objects that will be indexed: from AccessControl.PermissionRole import rolesForPermissionOn class someClass(Folder): def catalog_permission(self): """ return: Liste der roles, die die permissions 'View', 'Access Content Information" sowie "view archivDoc" haben """ l1 = rolesForPermissionOn('View', self) if type(l1) == type(''): l1 = [l1, ] l2 = rolesForPermissionOn('Access contents information', self) if type(l2) == type(''): l2 = [l2, ] res = [] for x in l1: if x in l2: res.append(x) return res 2. define a new Catalog class, with a newly defined method searchResults: from Products.ZCatalog.ZCatalog import ZCatalog from AccessControl import getSecurityManager class ACatalog(ZCatalog): def searchResults(self, REQUEST=None, used=None, **kw): """ """ roles = getSecurityManager().getUser().getRoles() if REQUEST is not None: REQUEST['catalog_permission'] = roles elif kw != {}: kw['catalog_permission'] = roles else: self.REQUEST['catalog_permission'] = roles return ZCatalog.searchResults(self, REQUEST, used, **kw) 3. Add a keyword index 'catalog_permission' to the ACatalog instance. (Ok, that could be done automatically in ACatalog.__init__ , but I was too lazy to write that...) A more reliable implemetation should make sure that only those objects are indexed, which define a method catalog_permission. Or Catalog.catalogObject could be overloaded to automatically build the information to be thrown into the catalog_permission index. Abel _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )