Hi all,

Recently i was looking for some zope3 based solutions for implementing
RESTful public API. And i found z3c.rest. To begin with package I have
installed it and enabled the the RESTviews for 'Folder' that is provided in
the 'tests' sub-folder of z3c.rest. It works fine. Then i changed the
Permission setting for GET view  from 'zope.View' to 'zope.ManageContent'
and i expected this would make the GET view of the Folder to be unavailable
to the Public. But it was still possible for me to call the GET view with an
'unauthorised' request.

Similarly, i changed the permission for POST/PUT from 'zope.ManageContent'
to 'zope.Public' and still I had to get authenticated to access it.

Can any one please tell me how can i use local grants with z3c.rest? I
expected it to work the same way as other zope:views do. Please help me on
this.

I have installed the package available in the svn trunk. Zope3 setup is
zope3.4.0c1 + python 2.5
I have tested the GET view using both web browser and a python script.

Following is the original  configurations from z3c/rest/tests/folder.zcml

########################
<view
    for="zope.app.folder.interfaces.IFolder"
    name="GET"
    type="..interfaces.IRESTRequest"
    factory=".folder.FolderAPI"
    permission="zope.View"
    allowed_attributes="GET"
    />

<view
    for="zope.app.folder.interfaces.IFolder"
    name="POST"
    type="..interfaces.IRESTRequest"
    factory=".folder.FolderAPI"
    permission="zope.ManageContent"
    allowed_attributes="POST"
    />

<view
    for="zope.app.folder.interfaces.IFolder"
    name="PUT"
    type="..interfaces.IRESTRequest"
    factory=".folder.FolderAPI"
    permission="zope.ManageContent"
    allowed_attributes="PUT"
    />
##########################

This is how i changed it

------------------------------------------------------------------
<view
    for="zope.app.folder.interfaces.IFolder"
    name="GET"
    type="..interfaces.IRESTRequest"
    factory=".folder.FolderAPI"
    permission="zope.ManageContent"
    allowed_attributes="GET"
    />

<view
    for="zope.app.folder.interfaces.IFolder"
    name="POST"
    type="..interfaces.IRESTRequest"
    factory=".folder.FolderAPI"
    permission="zope.Public"
    allowed_attributes="POST"
    />

<view
    for="zope.app.folder.interfaces.IFolder"
    name="PUT"
    type="..interfaces.IRESTRequest"
    factory=".folder.FolderAPI"
    permission="zope.Public"
    allowed_attributes="PUT"
    />
--------------------------------------------------------------------

Thanks in advance.

rgds,
Jayarajan J N (IRC nick - jayaraj)
_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Reply via email to