Martin Aspeli wrote: > So, here is what I'd like to propose, ideally for Zope 2.12: > > 1) Use an event handler to ensure that any <permission /> declared in > ZCML actually creates a valid, Zope 2 permission. I have working code > for this here which we could put in Products.Five with ease.
+1 > 2) Emit a warning instead of an error in Five's handler for the <class > /> directive when set_attributes or set_schema are used. +1 > 3) Change the Permission class in AccessControl so that it tries to > look up an IPermission utility and use the title of that utility as the > permission name, falling back on the current behaviour of using the > passed permission name directly. -1 I think we should start advertising the zope.security API for this instead. For example: from zope.security import checkPermission checkPermission('zope2.Private', context) This works by looking up the current security interaction from a thread local, which in Five's case is a FiveSecurityPolicy. This policy delegates to the checkPermission function found in Products.Five.security which does exactly what you want: if (permission in ('zope.Public', 'zope2.Public') or permission is None or permission is CheckerPublic): return True if isinstance(permission, basestring): permission = queryUtility(IPermission, unicode(permission)) if permission is None: return False if getSecurityManager().checkPermission(permission.title, object): return True return False _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )