IRC log of #zope3-dev for Sunday, 2007-05-20

*** dobee has joined #zope3-dev00:24
*** projekt01 has joined #zope3-dev00:29
dennis_if I have created a new Checker class, which after the normal permissions checks if this particular principal is really allowed to access a particular object (check a mapping between given principal and object in a per-object permissions utility), where/how would I go and wire this up? i.e. saying "for objects of type XXX use the following checker"? preferrably of course in zcml00:29
dennis_(of course, if there is already a better way to handle per-object access I would welcome that even more :)00:30
projekt01dennis_, why are you doing this?00:31
dennis_project01: well, even though someone might have content.Edit permissions, I want to still restrict him to only his own content, and I rather secure the object directly than doing this checking in the view code00:32
*** torkel_ has joined #zope3-dev00:32
projekt01you can do this by grant the permission on the object, there is no need for another concept.00:32
dennis_do you have a pointer or small example? it sounds really good00:33
projekt01...just a moment00:34
*** schwendinger|gri has quit IRC00:34
projekt01you can do something like that:00:36
projekt01ppm = IPrincipalPermissionManager(context)00:36
projekt01ppm.denyPermissionToPrincipal(permission_id, principal_id)00:36
projekt01and you a re done00:36
projekt01simply, isn't it?00:37
dennis_hmm .. so I would need a permission_id for every content _object_ rather than for content in general?00:40
projekt01just deny the edit permission e.g. ppm.denyPermissionToPrincipal(zope.ManageContent', '<the principal id>')00:41
dennis_and call that in the view code?   (the denyPermission is only for the current interaction?)00:43
projekt01why only in one interaction?00:43
dennis_I will give a small example :) sorry if I missing the point00:44
dennis_let's say I have a content object BankAccount, a permission ViewBankAccount, and 1000 principals each with ViewBankAccount permissions granted00:44
dennis_but of course I want to secure each BankAccount such that only the "owner" principal can really view it00:45
projekt01yes, you need to grant permission for each account per (owner) principal.00:46
dennis_but, if a principal has ViewBankAccount permissions, he can view any bank account00:47
dennis_or programmatically for every new BankAccount create a ViewBankAccount0302 permission and grant those?00:49
*** philiKON has joined #zope3-dev00:51
*** pcardune has quit IRC00:56
projekt01denniy_, the principal has only ViewBankAccount permission if you grant them on a object, sure you can't set this in ZCML in general.00:57
projekt01thre is no need to use more then one permission!00:57
projekt01only grant for a specific principal id the permission on a object if you create the opbject.00:58
dennis_project01: ahhhhh I was confused with the permissions which are set for views .. it makes sense now .. of course! :) thank you a lot!01:00
dennis_(actually confused by an email where people asked if it was possible to assign permissions per attribute per object, which isn't/wasn't possible, and then I mixed it up, sorry)01:02
*** d2m has quit IRC01:02
projekt01dennis_, no problem01:03
*** torkel_ has quit IRC01:04
projekt01dennis_, per attribute is possible if you use different permission per attribute and register them in the class subdirective.01:04
projekt01See the different class directives, there we us many different permissions for class/attributes on one object01:05
dennis_previously I assign the required permissions per class in the zcml in the <class><interface .. permission=""/></class>, so saying that in f.e. BankAccount for reading of all attributes you only need ViewBankAccount, I didn't realise I could just leave this out and do it per object instead01:06
*** philiKON_ has quit IRC01:06
projekt01Ah yes, right01:07
dennis_hmm .. so when I create a new BankAccount, how do I give principal X permission Y on only that object?  denyPermissionToPrincipal() does not have the object?01:09
dennis_or is the IPrincipalPermissionManager adapted from my object?01:09
projekt01the adapter adapts the object e.g. IPrincipalPermissionManager(context)01:12
dennis_ahhhhh it works like that .. that's actually beautiful01:15
dennis_much nicer than I hoped for01:15
dennis_so i can also even allow the owner to change the 'account name' attribute but still not the 'account number' attribute01:16
projekt01you can define e.g. a EditAccount and a ManageAccount permission01:18
dennis_beautiful stuff01:19
projekt01and protect the object attributes in a class with set_attributes="acountNumber"01:19
dennis_that really helped me a lot, thanks again for your trouble!01:19
projekt01instead of set_schema=".interfaces.IAccount"01:19
projekt01no problem01:19
*** torkel_ has joined #zope3-dev01:21
*** natea_ has joined #zope3-dev01:35
*** torkel_ has quit IRC01:35
*** bigkevmcd has quit IRC01:37
*** natea has quit IRC01:42
*** meatballhat has joined #zope3-dev01:55
*** jinty has joined #zope3-dev01:56
*** zagy has joined #zope3-dev02:05
*** pcardune has joined #zope3-dev02:07
*** dobee has quit IRC02:14
*** jinty has quit IRC02:14
*** meatballhat has left #zope3-dev02:18
dennis_just so I am clear: when in debug and asking the IRolePermissionManager and IPrincipalPermissionManager for getRolesAndPermissions and getPrincipalsAndPermissions on an object in my root['site']['etc'], should they return the empty lists?02:19
*** salfield has joined #zope3-dev02:25
*** salfield_ has quit IRC02:42
*** salfield has quit IRC02:53
*** salfield has joined #zope3-dev02:54
*** salfield_ has joined #zope3-dev03:09
*** febb has quit IRC03:11
*** lurker has quit IRC03:19
*** salfield has quit IRC03:21
*** Jell-O-Fishi has joined #zope3-dev03:24
*** pcardune has quit IRC04:21
*** tom__ has joined #zope3-dev04:35
*** salfield_ has quit IRC04:50
*** zagy has quit IRC05:08
*** salfield_ has joined #zope3-dev05:44
*** tom__ has quit IRC05:46
*** pcardune has joined #zope3-dev05:58
*** salfield_ has quit IRC06:27
*** salfield has joined #zope3-dev06:29
*** projekt01 has quit IRC06:34
*** greenman has joined #zope3-dev06:37
*** alecm has joined #zope3-dev06:46
*** alecm has quit IRC06:46
*** pcardune has quit IRC07:04
*** niemeyer has quit IRC07:06
*** pcardune has joined #zope3-dev07:27
*** pcardune has quit IRC07:49
*** dobee has joined #zope3-dev09:05
*** timte has joined #zope3-dev09:07
*** tim__ has joined #zope3-dev09:07
*** ktwilight has quit IRC09:31
*** ktwilight has joined #zope3-dev09:31
*** stub has joined #zope3-dev09:35
*** stu1 has quit IRC09:37
*** dobee has quit IRC09:44
*** greenman has quit IRC10:15
*** greenman has joined #zope3-dev10:15

Generated by 2.15.1 by Marius Gedminas - find it at!