[Zope-CMF] Private CMF site

Tres Seaver tseaver@zope.com
19 Feb 2003 13:31:38 -0500

On Wed, 2003-02-19 at 13:17, Greg Ward wrote:

> Can someone explain what "Access contents information" means?

Originally (we're talking pre-Zope here), "View" was conceptually like
the Unix "execute" permission on an object, while "Access contents
information" was like the Unix "read" permission:  ACI specifically
protected the 'objectIds' / 'objectValues' / 'objectItems' methods of
ObjectManagers.  The two have become muddied over time, because it is
frequently the case that View isn't useful without ACI, and so people
either granted ACI to the same roles as View, or else changed the
permission guarding the accessors to View.

> I've
> Google'd for it and grep'd the Zope source code but have not yet
> achieved enlightenment.  Is there any place where Zope permissions are
> documented?
> As an aside, it looks as though CMF really wasn't designed with
> "members-only" sites in mind.  In particular, the default main_template
> makes liberal use of here/portal_membership, here/portal_actions, etc.
> That means that any attempt to render a nice-looking login_form or
> logged_out depends on having access to here/portal_* -- ie. you want
> your login_form and logged_out to use the same skin as the rest of your
> site, meaning you need to use main_template, meaning anonymous users
> need to be able to access here/portal_*.
> I can see three possible ways out:
>   * rewrite main_template to defend against permission failures, eg.
>     "define mtool here/portal_membership | nothing" -- which gets
>     hairy because then you have to code around mtool not being
>     defined, and so on down the line
>   * use vanilla login_form and logged_out pages -- ie. don't use
>     the same skin as the rest of your site (works, but looks
>     unprofessional -- especially since the login_form is the first
>     thing every user will see!)
>   * grant appropriate permissions on /portal/portal_* -- I guess
>     give Anonymous "Access contents information" and "View", but
>     I'm not really sure if this will work.

    * Give appropriate "proxy roles" to the 'login_form' template, which
      will enable it to use those services.  Ausum's how-to actually
      shows that, I think.

Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com