On Wed, Dec 19, 2007 at 10:56:49PM +0200, Marius Gedminas wrote:
> On Wed, Dec 19, 2007 at 08:32:02PM +0100, Lorenzo Gil Sanchez wrote:
> > - Why do I have to define permissions for a view if I already
> > configured the same permissions for the class? The view should always
> > have more restrictive permissions that the content type class or is
> > there any use case for the opposite?
> The view doesn't know the permission of the content class.  Note that
> your view is registered on IMyContent, and not on MyContent directly.
> You might register more than one content class implementing IMyContent,
> and register different permissions.
> Another thing -- you might protect different attributes with different
> permissions, and the view directive cannot be smart enough to analyse
> all your source code and page templates to see which of those content
> attributes you want to use in this particular view.

Actually, that doesn't matter in practice -- you can have a public view
on a protected content object, and Zope will do the right thing -- ask
the user to authenticate.  In effect the view gets the more restrictive
permissions automatically, the only difference is that the checking
happens not during the traversal to the view, but while rendering the

Only you discovered a bug where protecting __name__/__parent__ too
strongly makes this automation break down.

Marius Gedminas
We have an advanced scalable groupware communication environment (email)
        -- Alan Cox

Attachment: signature.asc
Description: Digital signature

Zope3-users mailing list

Reply via email to