On Wed, Jul 02, 2008 at 08:33:12PM +0200, Mattia Belletti wrote:
> Hi all,
> I'm a newbie to Zope 3, but I immediatly had very "good vibes" about
> it. I started developing a test application. Where I immediatly got some
> problems was when I had to deal with the security model.
> I illustrate my point. In the system I'm writing, users can register
> and create objects inside the system. The security system should be
> quite simple: a user can access the view page of every object, but not
> the edit page, unless he/she is the author. Well, things are more
> complex, but this already is proving me problems.
You've chosen an intuitively obvious task for a test app, however one
that is not at all trivial in Zope. Authentication with dynamic
principals is pretty much as hardcore as it gets.
You'll need to to sort out the authentication part either by writing a
PAU plugin to authenticate your users who have corresponding domain
objects, or even by writing your own local authentication utility.
The authorization part can be done in different ways, but I think the
simplest one is to set up a role 'owner' and then provide a
zope.app.securitypolicy.interfaces.IPrincipalRoleMap adapter for your
content objects that grants the owner role to the owners.
> I think it's pretty evident that the default security policy isn't
> enough for me.
The above should let you solve your problems with the default security
policy. However, you might want to take a look at zc.sharing. It's
an alternative security policy which could be more intuitive for the
content management domain you seem to be working on.
Zope3-users mailing list