Frank Burkhardt wrote:

Do I understand it right, that I do not grant a permission to a principal on a certain object instance? I only grant a permission to use a certain interface!?

You can either grant permissions to principals (or groups/roles) globally. 
Those permissions
can be used in multiple ways:
   * To protect Views. You can only access views you have permissions for (e.g. 
<browser:page ...> )
   * To protect attributes/methods of classes (*not objects*) (<class 
...><required interface=...>)
   * To define, who is allowed to modify certain attributes (<class ...><required 
set_schema=...> )

I can follow to this point. That's how I understand Zope security until now.

Additionally you may grant permissions (and role memberships) on a per object 
(*not per class*)
basis ( using e.g. the grant.html-View) which effects only a single object.

That's what I was looking for, but don't know how to do. For I example:

I want to let a user create an object (i.e. a message in a message board). All users with a certain role (i.e. Admins) should be able to edit the new object, but the creating user should also be able to edit it. So I have to give him the persmission to edit.

How can I do something like that?


Zope3-users mailing list

Reply via email to