I ended up in overriding the permission storage map. This might not be
so conservative, but seems to work. Kills any not ALLOWED permission
and stops propagation.
ALLOWED = ['zope.View', 'zope.app.dublincore.view', ...]
def getSetting(self, permission_id, principal_id, default=Unset):
if permission_id in ALLOWED:
self, permission_id, principal_id, default)
> In a similar use-case, yes, I set up all relevant permissions for a `new
> arrival` using a subscriber - including denying permissions on
> sub-objects. I felt that being explicit about my security design was a
> good decision.
> Hope that helps.
Adam mailto:[EMAIL PROTECTED]
Zope3-dev mailing list