On 4/11/09 10:20 PM, Tim Hoffman wrote:
> Hi Chris
> can I specify security annotations on objects persisted in the zodb as
> per zope3/zope2
> which are over and above the class/view decleration.

Yes, for instance, in some code that manipulates a persistent object, you can 
something like:

from repoze.bfg.security import Authenticated
from repoze.bfg.security import Allow
blogentry.__acl__ = [(Allow, 'fred', 'edit'), (Allow, Authenticated, 'view')]

When that object (or one of its children) becomes the "context" of a view 
when you traverse to a URL which represents the blog entry object's default 
view), the combination of the view's permission and the principals attached to 
the request is compared against the object's ACL.  Access is allowed or denied. 
  For example:

from repoze.bfg.view import bfg_view
from mypackage.interfaces import IBlogEntry

@bfg_view(for_=IBlogEntry, permission='edit')
def blogentry_edit_view(context, request):

... only a principal named 'fred' would be allowed to invoke this view if 
'context' was the blogentry you attached the above ACL to.

There is an "acquisition" model for ACLs which looks at the parents of the 
context in the model graph (often up a tree of persistent objects) to find an 
ACL if one is not defined on the context.

- C
Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to