Velko Ivanov wrote:

Dmitry Vasiliev wrote:
Maybe we need always check security map at the root folder?

I don't believe this is the solution. Altrough it will solve my example, it wouldn't help in other scenarios. I would eventually make ZopeConnection and ZopeCursor locatable, if they aren't already, and assign the database adapter as the parent of the connection and the connection to the cursor at the time of their creation.
Actually I'm going to patch it like that right away.

ZopeConnection and ZopeCursor not only an objects without an location, see for example '/++etc++process' so I think it is the UI grant tool problem. I'll post an issue to the collector.

One last question, to clear things a bit for me, as I don't have a Zope3 copy here to try - Imagine the user accesses some python class by the means of submiting a form and that class needs to do some work with the database, so it obtains a database connection, creates a cursor and executes some queries. In this case, will the class access the connection with the user's privileges, or is it trusted ? If it is trusted, my problem here is not of so big importance, but if not, I imagine needs some urgent updates.

I don't believe that I'm currently fully understand whole Z3's security system, :-) but I think you can manage access rights through 'permission' attribute of the form's ZCML directive. For instance in one of my projects there is a pages which use a database connection with 'zope.Public' and 'zope.ManageContent' permissions.

Dmitry Vasiliev (dima at

Zope3-dev mailing list

Reply via email to