[Zope] New permissions

[Dylan Reinhardt]

On Fri, 2003-04-04 at 09:04, Michael Havard wrote:
> Is there another way to allow a user to add a folder without needing to give 
> them manage properties permissions. 

Here's a general-purpose technique:

1. Create a role called AddFolder
2. Give AddFolder the necessary permissions to create a folder
3. Create an add_folder method and give it an AddFolder proxy role.
4. Permit authors to use (but not change) the add_folder method

This way, authors will have the ability to use the permissions
associated with AddFolder... but only in the specific way(s) you have
defined.  

It's a good idea to make your roles pretty fine-grained... but it's
probably not worth going overboard with.  It's more important, in this
scheme, that your methods be tailored to a specific purpose and the
permissions controlling them be fine-grained.  

> It would be nice to have a document 
> listing the permissions and EXACTLY what they do and how they interrelate if 
> only just for the base ZOPE and CMF products.

The best such document is the product source code.

Permissions, ultimately, are just labels applied to collections of
product methods.  When you allow a permission, you allow specific users
to call its methods.  If you want to know exactly what those methods
*do*, you'll have to look at how they are defined.

HTH,

Dylan