Chris Withers wrote:
Nikko Wolf wrote:
I'm trying to allow users to delete objects that have been
accidentally created. I have criteria for what that means, but since
I *DO NOT* want them to delete object except by this method, I want
to avoid granting "Delete objects" to them (non-Managers).
Have the "delete process" done in a python script or external method.
Only give "view" permission to that method to people who you want to
be able to delete objects.
If it's a python script, give it a Proxy role that has the "Delete
objects" permission mapped, and you'll be fine :-)
That was my expectation too, but alas -- it does not work for me. Have
you specifically tried this?
==== Set up:
- Plone Site with "Delete objects" permission granted only to Manager
(not inheriting privs)
- (Plone) Folder "abc" with an object "xyz" under the Plone Site
(inheriting privs)
- The following "Script (Python)" named "nuke" and with "Manager"
proxy role.
- Non Manager user
- Load URL: {plone-root}/abc/xyz/nuke
==== Browser shows:
Insufficient Privileges
You do not have sufficient privileges to view this page. If you believe
you are receiving this message in error, please send an e-mail to"
==== The events.log shows:
2005-10-17T16:16:34 ERROR(200) SiteError
http://localhost:8080/PloneRoot/abc/xyz/nuke
Traceback (most recent call last):
File "/usr/local/zope/lib/python/ZPublisher/Publish.py", line 101, in
publish
request, bind=1)
File "/usr/local/zope/lib/python/ZPublisher/mapply.py", line 88, in mapply
if debug is not None: return debug(object,args,context)
File "/usr/local/zope/lib/python/ZPublisher/Publish.py", line 39, in
call_object
result=apply(object,args) # Type s<cr> to step into published object.
File "/usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py", line
306, in __call__
return self._bindAndExec(args, kw, None)
File "/usr/local/zope/lib/python/Shared/DC/Scripts/Bindings.py", line
343, in _bindAndExec
return self._exec(bound_data, args, kw)
File
"/usr/local/zope/lib/python/Products/PythonScripts/PythonScript.py",
line 324, in _exec
result = f(*args, **kw)
File "Script (Python)", line 16, in mlt
File "/usr/local/zinstance/Products/CMFPlone/PloneFolder.py", line
306, in manage_delObjects
raise Unauthorized, (
Unauthorized: Do not have permissions to remove this object
==== The script is:
## Script (Python) "nuke"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=
##title=My Test Script
##
from Products.PythonScripts.standard import html_quote
objid = context.getId()
folder = context.aq_inner.aq_parent
mylog = folder.plone_log
#####
## DELETION CRITERIA CHECKS OMITTED
####
# So, now we delete it...
member = context.portal_membership.getAuthenticatedMember()
mylog( "%s deletes (%s) from (%s)" %\
(member.id, context.absolute_url(), folder.absolute_url()))
resp = folder.manage_delObjects( [objid] )
mylog( "folder.{%s}.manage_delObjects(['%s'] = {%s}\nCTX=%s" %
(folder.absolute_url(), objid,
folder.dumpIt( resp ), folder.absolute_url()))
mylog( "Remaining: " + str(folder.objectIds()) )
# Set 'text' for the portal_status_message
text = "No exceptions deleting '%s'" % objid
if objid in folder.objectIds():
text += " / ID is still there"
else:
text += " / ID is gone"
if context in folder.objectValues():
text += " / OBJECT is still there"
else:
text += " / OBJECT is gone"
context.REQUEST.RESPONSE.redirect( folder.absolute_url() +
'?portal_status_message=' +
html_quote(text))
_______________________________________________
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
