Martin Aspeli wrote:
> So, here is what I'd like to propose, ideally for Zope 2.12:
>   1) Use an event handler to ensure that any <permission /> declared in 
> ZCML actually creates a valid, Zope 2 permission. I have working code 
> for this here which we could put in Products.Five with ease.


>   2) Emit a warning instead of an error in Five's handler for the <class 
> /> directive when set_attributes or set_schema are used.


>   3) Change the Permission class in AccessControl so that it tries to 
> look up an IPermission utility and use the title of that utility as the 
> permission name, falling back on the current behaviour of using the 
> passed permission name directly.


I think we should start advertising the API for this
instead. For example:

from import checkPermission
checkPermission('zope2.Private', context)

This works by looking up the current security interaction from a thread
local, which in Five's case is a FiveSecurityPolicy. This policy
delegates to the checkPermission function found in which does exactly what you want:

if (permission in ('zope.Public', 'zope2.Public') or
    permission is None or permission is CheckerPublic):
    return True

if isinstance(permission, basestring):
    permission = queryUtility(IPermission, unicode(permission))
    if permission is None:
        return False

if getSecurityManager().checkPermission(permission.title, object):
    return True

return False

Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to