On Fri, Sep 08, 2006 at 10:12:34AM +0400, Denis Shaposhnikov wrote: > >>>>> "Stephan" == Stephan Richter <[EMAIL PROTECTED]> writes: > > Stephan> You cannot grant permissions via ZCML to principals that are > Stephan> located in the ZODB. You have to use the "Grant" view of the > Stephan> folder for this. > > Oh, that's a bad news. Am I right that Zope3 have principals either > ZODB or ZCML?
Principals in Zope3 are identified by simple text strings (e.g. zope.Manager). When a request is processed by the zope server, it tries to find a IAuthentication utility which has a method to provide credentials (username, password) returning a principal object which is not persistent (-> changing attributes on that object wont affect anything after that request). Problem ist: When the ZCML-tree is parsed, any <grant>-statement tries to verify, if a given principal exists. This verification fails for principals provided by a a PAU- or another Site-Manager-registered IAuthentication utility. If you want to assign a permission to a principal for the whole zodb, just do that for the root folder and it will be inherited down the traverse path. Example: from zope.app.securitypolicy.interfaces import IPrincipalPermissionManager from zope.app import zapi root=zapi.getRoot(context) ppm=IPrincipalPermissionManager(root) ppm.grantPermissionToPrincipal('zope.ManageContent','my.principal') The permission-principal-assignment is stored as a simple text-tuple - there's no check for validity of wither the principal's or the permission's id. Regards, Frank _______________________________________________ Zope3-users mailing list Zope3firstname.lastname@example.org http://mail.zope.org/mailman/listinfo/zope3-users