For a simple content management system we're building, I've started
working on a simple security interface which is supposed to enable /
disable 'view' (and dublin core view). The setup that I have - or want
to have - is a UI that says:

Who can see this item?

- Everybody
- Nobody (grants view to zope.Manager and our.cms.ContentEditor roles
only, for now)
- Specific Users

If 'specific users' is selected, users from the local principal folder
are listed for selection.

I seem to have my implementation working somewhat - I can go to the
normal Grant screen and see specific users have 'Allow' checked for
the view permissions managed by my sharing view. And 'zope.anybody' is

>>> pprint(settingsForObject(jobs))
  {'principalPermissions': [{'permission': 'zope.View',
                             'principal': u'brcmscms.user2',
                             'setting': PermissionSetting: Allow},
                            {'permission': 'zope.View',
                             'principal': 'zope.anybody',
                             'setting': PermissionSetting: Deny},
                            {'permission': '',
                             'principal': u'brcmscms.user2',
                             'setting': PermissionSetting: Allow},
                            {'permission': '',
                             'principal': 'zope.anybody',
                             'setting': PermissionSetting: Deny}],
   'principalRoles': [],
   'rolePermissions': []}),

When I traverse to the object in question in another browser, I get
prompted for login. But if I supply different credentials (ie, one of
the users not Allowed explicit view privileges), I'll still see the

Am I denying the right person here? Globally, the permission is set up
as follows:

                       {'permission': 'zope.View',
                        'role': 'zope.Anonymous',
                        'setting': PermissionSetting: Allow},

Should I Deny access to the zope.Anonymous role? To the Everybody
group? To the Unauthenticated Group? Right now, I only deny the

    def denyUnauthenticated(self):
        """ Explicitly deny the view permissions for unauthenticated users. """
        anybody = zapi.getUtility(IUnauthenticatedPrincipal).id
        pmanager = IPrincipalPermissionManager(self.context)
        for permission in self._view_permissions:
            pmanager.denyPermissionToPrincipal(permission, anybody)

This is in Zope 3.1.0 on Python 2.3.5

The point of this simple 'sharing' interface is to let our customer
have a press folder that they can restrict access to by allowing only
limited people in to it. We're trying to keep the user interface as
simple as possible.
Zope3-users mailing list

Reply via email to