On Wed, Dec 19, 2007 at 10:56:49PM +0200, Marius Gedminas wrote: > On Wed, Dec 19, 2007 at 08:32:02PM +0100, Lorenzo Gil Sanchez wrote: > > - Why do I have to define permissions for a view if I already > > configured the same permissions for the class? The view should always > > have more restrictive permissions that the content type class or is > > there any use case for the opposite? > > The view doesn't know the permission of the content class. Note that > your view is registered on IMyContent, and not on MyContent directly. > You might register more than one content class implementing IMyContent, > and register different permissions. > > Another thing -- you might protect different attributes with different > permissions, and the view directive cannot be smart enough to analyse > all your source code and page templates to see which of those content > attributes you want to use in this particular view.
Actually, that doesn't matter in practice -- you can have a public view on a protected content object, and Zope will do the right thing -- ask the user to authenticate. In effect the view gets the more restrictive permissions automatically, the only difference is that the checking happens not during the traversal to the view, but while rendering the view. Only you discovered a bug where protecting __name__/__parent__ too strongly makes this automation break down. Marius Gedminas -- We have an advanced scalable groupware communication environment (email) -- Alan Cox
Description: Digital signature
_______________________________________________ Zope3-users mailing list Zope3email@example.com http://mail.zope.org/mailman/listinfo/zope3-users