Martin Aspeli wrote:
> So, here is what I'd like to propose, ideally for Zope 2.12:
>
> 1) Use an event handler to ensure that any <permission /> declared in
> ZCML actually creates a valid, Zope 2 permission. I have working code
> for this here which we could put in Products.Five with ease.
+1
> 2) Emit a warning instead of an error in Five's handler for the <class
> /> directive when set_attributes or set_schema are used.
+1
> 3) Change the Permission class in AccessControl so that it tries to
> look up an IPermission utility and use the title of that utility as the
> permission name, falling back on the current behaviour of using the
> passed permission name directly.
-1
I think we should start advertising the zope.security API for this
instead. For example:
from zope.security import checkPermission
checkPermission('zope2.Private', context)
This works by looking up the current security interaction from a thread
local, which in Five's case is a FiveSecurityPolicy. This policy
delegates to the checkPermission function found in
Products.Five.security which does exactly what you want:
if (permission in ('zope.Public', 'zope2.Public') or
permission is None or permission is CheckerPublic):
return True
if isinstance(permission, basestring):
permission = queryUtility(IPermission, unicode(permission))
if permission is None:
return False
if getSecurityManager().checkPermission(permission.title, object):
return True
return False
_______________________________________________
Zope-Dev maillist - Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
