| *** dobee has joined #zope3-dev | 00:24 | |
| *** projekt01 has joined #zope3-dev | 00:29 | |
| dennis_ | if I have created a new Checker class, which after the normal permissions checks if this particular principal is really allowed to access a particular object (check a mapping between given principal and object in a per-object permissions utility), where/how would I go and wire this up? i.e. saying "for objects of type XXX use the following checker"? preferrably of course in zcml | 00:29 |
|---|---|---|
| dennis_ | (of course, if there is already a better way to handle per-object access I would welcome that even more :) | 00:30 |
| projekt01 | dennis_, why are you doing this? | 00:31 |
| dennis_ | project01: well, even though someone might have content.Edit permissions, I want to still restrict him to only his own content, and I rather secure the object directly than doing this checking in the view code | 00:32 |
| *** torkel_ has joined #zope3-dev | 00:32 | |
| projekt01 | you can do this by grant the permission on the object, there is no need for another concept. | 00:32 |
| dennis_ | do you have a pointer or small example? it sounds really good | 00:33 |
| projekt01 | ...just a moment | 00:34 |
| *** schwendinger|gri has quit IRC | 00:34 | |
| projekt01 | you can do something like that: | 00:36 |
| projekt01 | ppm = IPrincipalPermissionManager(context) | 00:36 |
| projekt01 | ppm.denyPermissionToPrincipal(permission_id, principal_id) | 00:36 |
| projekt01 | and you a re done | 00:36 |
| projekt01 | simply, isn't it? | 00:37 |
| dennis_ | hmm .. so I would need a permission_id for every content _object_ rather than for content in general? | 00:40 |
| projekt01 | no | 00:40 |
| projekt01 | just deny the edit permission e.g. ppm.denyPermissionToPrincipal(zope.ManageContent', '<the principal id>') | 00:41 |
| dennis_ | and call that in the view code? (the denyPermission is only for the current interaction?) | 00:43 |
| projekt01 | why only in one interaction? | 00:43 |
| dennis_ | I will give a small example :) sorry if I missing the point | 00:44 |
| dennis_ | let's say I have a content object BankAccount, a permission ViewBankAccount, and 1000 principals each with ViewBankAccount permissions granted | 00:44 |
| dennis_ | but of course I want to secure each BankAccount such that only the "owner" principal can really view it | 00:45 |
| projekt01 | yes, you need to grant permission for each account per (owner) principal. | 00:46 |
| dennis_ | but, if a principal has ViewBankAccount permissions, he can view any bank account | 00:47 |
| dennis_ | or programmatically for every new BankAccount create a ViewBankAccount0302 permission and grant those? | 00:49 |
| *** philiKON has joined #zope3-dev | 00:51 | |
| *** pcardune has quit IRC | 00:56 | |
| projekt01 | denniy_, the principal has only ViewBankAccount permission if you grant them on a object, sure you can't set this in ZCML in general. | 00:57 |
| projekt01 | thre is no need to use more then one permission! | 00:57 |
| projekt01 | only grant for a specific principal id the permission on a object if you create the opbject. | 00:58 |
| dennis_ | project01: ahhhhh I was confused with the permissions which are set for views .. it makes sense now .. of course! :) thank you a lot! | 01:00 |
| dennis_ | (actually confused by an email where people asked if it was possible to assign permissions per attribute per object, which isn't/wasn't possible, and then I mixed it up, sorry) | 01:02 |
| *** d2m has quit IRC | 01:02 | |
| projekt01 | dennis_, no problem | 01:03 |
| *** torkel_ has quit IRC | 01:04 | |
| projekt01 | dennis_, per attribute is possible if you use different permission per attribute and register them in the class subdirective. | 01:04 |
| projekt01 | See the different class directives, there we us many different permissions for class/attributes on one object | 01:05 |
| dennis_ | previously I assign the required permissions per class in the zcml in the <class><interface .. permission=""/></class>, so saying that in f.e. BankAccount for reading of all attributes you only need ViewBankAccount, I didn't realise I could just leave this out and do it per object instead | 01:06 |
| *** philiKON_ has quit IRC | 01:06 | |
| projekt01 | Ah yes, right | 01:07 |
| dennis_ | hmm .. so when I create a new BankAccount, how do I give principal X permission Y on only that object? denyPermissionToPrincipal() does not have the object? | 01:09 |
| dennis_ | or is the IPrincipalPermissionManager adapted from my object? | 01:09 |
| projekt01 | dennis_, zope.app.securitypolicy.interfaces | 01:11 |
| projekt01 | the adapter adapts the object e.g. IPrincipalPermissionManager(context) | 01:12 |
| dennis_ | ahhhhh it works like that .. that's actually beautiful | 01:15 |
| dennis_ | much nicer than I hoped for | 01:15 |
| dennis_ | so i can also even allow the owner to change the 'account name' attribute but still not the 'account number' attribute | 01:16 |
| projekt01 | yes | 01:18 |
| projekt01 | you can define e.g. a EditAccount and a ManageAccount permission | 01:18 |
| dennis_ | beautiful stuff | 01:19 |
| projekt01 | and protect the object attributes in a class with set_attributes="acountNumber" | 01:19 |
| dennis_ | that really helped me a lot, thanks again for your trouble! | 01:19 |
| projekt01 | instead of set_schema=".interfaces.IAccount" | 01:19 |
| projekt01 | no problem | 01:19 |
| *** torkel_ has joined #zope3-dev | 01:21 | |
| *** natea_ has joined #zope3-dev | 01:35 | |
| *** torkel_ has quit IRC | 01:35 | |
| *** bigkevmcd has quit IRC | 01:37 | |
| *** natea has quit IRC | 01:42 | |
| *** meatballhat has joined #zope3-dev | 01:55 | |
| *** jinty has joined #zope3-dev | 01:56 | |
| *** zagy has joined #zope3-dev | 02:05 | |
| *** pcardune has joined #zope3-dev | 02:07 | |
| *** dobee has quit IRC | 02:14 | |
| *** jinty has quit IRC | 02:14 | |
| *** meatballhat has left #zope3-dev | 02:18 | |
| dennis_ | just so I am clear: when in debug and asking the IRolePermissionManager and IPrincipalPermissionManager for getRolesAndPermissions and getPrincipalsAndPermissions on an object in my root['site']['etc'], should they return the empty lists? | 02:19 |
| *** salfield has joined #zope3-dev | 02:25 | |
| *** salfield_ has quit IRC | 02:42 | |
| *** salfield has quit IRC | 02:53 | |
| *** salfield has joined #zope3-dev | 02:54 | |
| *** salfield_ has joined #zope3-dev | 03:09 | |
| *** febb has quit IRC | 03:11 | |
| *** lurker has quit IRC | 03:19 | |
| *** salfield has quit IRC | 03:21 | |
| *** Jell-O-Fishi has joined #zope3-dev | 03:24 | |
| *** pcardune has quit IRC | 04:21 | |
| *** tom__ has joined #zope3-dev | 04:35 | |
| *** salfield_ has quit IRC | 04:50 | |
| *** zagy has quit IRC | 05:08 | |
| *** salfield_ has joined #zope3-dev | 05:44 | |
| *** tom__ has quit IRC | 05:46 | |
| *** pcardune has joined #zope3-dev | 05:58 | |
| *** salfield_ has quit IRC | 06:27 | |
| *** salfield has joined #zope3-dev | 06:29 | |
| *** projekt01 has quit IRC | 06:34 | |
| *** greenman has joined #zope3-dev | 06:37 | |
| *** alecm has joined #zope3-dev | 06:46 | |
| *** alecm has quit IRC | 06:46 | |
| *** pcardune has quit IRC | 07:04 | |
| *** niemeyer has quit IRC | 07:06 | |
| *** pcardune has joined #zope3-dev | 07:27 | |
| *** pcardune has quit IRC | 07:49 | |
| *** dobee has joined #zope3-dev | 09:05 | |
| *** timte has joined #zope3-dev | 09:07 | |
| *** tim__ has joined #zope3-dev | 09:07 | |
| *** ktwilight has quit IRC | 09:31 | |
| *** ktwilight has joined #zope3-dev | 09:31 | |
| *** stub has joined #zope3-dev | 09:35 | |
| *** stu1 has quit IRC | 09:37 | |
| *** dobee has quit IRC | 09:44 | |
| *** greenman has quit IRC | 10:15 | |
| *** greenman has joined #zope3-dev | 10:15 | |
Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!