[Zope-CMF] Remove me from your list
Fernando Tapia Salinas
Tue, 25 Feb 2003 17:02:20 -0600
De: email@example.com [mailto:firstname.lastname@example.org]En nombre de
Hamish Harvey (David)
Enviado el: Martes, 25 de Febrero de 2003 04:52 p.m.
Asunto: restricting adding content by type (was Re: [Zope-CMF] [dev] CMF 1.4
Dammit, I keep doing this. Intended for the list, sent to Florent alone by
On Tuesday 25 Feb 2003 8:08 pm, Florent Guillaume wrote:
> Please let's discuss the available solutions first, and not check in
> something just a few days before a release.
Sure, sure. I had the code there, and Chris W had said he didn't have time
play when the list was first circulated. And I specified my reservations
the solution, so I didn't present it as ready to commit ....
> So let's *specify* what we want. From what I see, what's needed is a way
> to control from the type itself which users are allowed to create
> instances. This has to be
> 1. enforced when invokeFactory is called
> 2. very importantly too, queriable so that the UI can display available
Sounds about right.
> Existing code checks for the "View" permission (by an ugly hack using
> Title BTW) on the type information object (TI) to mean that users are
> allowed to view instances.
> To be coherent, we could check for "Add portal Content" on the TI to
> mean that users are allowed to create instances. No need to add a new
> permission. We just have to ensure the proposed one doesn't have any
> unwanted effect on the TI object itself.
I'm not totally convinced by this being coherent. To be sure, "Add portal
content" isn't doing much on the TI, so it could be co-opted for this
purpose, but the purpose, while related, is definitely *different* to the
purpose of that permission in the content areas of the site.
Content area: "Add portal content" = you have permission to add content here
if you have permission to add the paticular content type anywhere
TI: "Add portal content" = you have permission to add content of this type
anywhere you have permission to add content at all.
This probably isn't a problem, possibly even makes sense, but there is a
subtle difference in meaning.
> And no need to use getSecurityManager.validate() on some dummy method
> for that, _checkPermission is fine.
Ah, the joys of cut-and-paste programming! And of learning by correction.
Zope-CMF maillist - Zope-CMF@zope.org
See http://collector.zope.org/CMF for bug reports and feature requests