I've got a container, all of my users have 'zope.ManageContent' permission
in. A subobject of the container is sensitive - users must not be able to
change this object which means, I've to take away 'zope.ManageContent'
permission from all my users (except of one!) whenever context=subobject .

I tried using security-annotations which worked fine for single users:

However, this is rather impractical for 1000+ users - so I tried:
 - didn't work :-( .

The greater picture: I need a "Sticky-Bit"-Container. Users with
'zope.ManageContent' permission should be allowed to create (certain
kind of) objects, which will be automatically security (role-)annotated
(principal.id,'mpgsite.Owner',Allow). The 'mpgsite.Owner' role implies
some permissions - incl. 'zope.ManageContent'.
Unfortunately, 'zope.ManageContent' is inherited from the container -
granting editing rights to everyone.

Did I miss anything or is it impossible to "de-assign" a permission
based on roles/groups?


Zope3-users mailing list

Reply via email to