[Zope] confused on permissions and roles

John Hunter jdhunter at ace.bsd.uchicago.edu
Wed Jun 30 18:41:09 EDT 2004


>>>>> "John" == John Hunter <jdhunter at ace.bsd.uchicago.edu> writes:

    John> I have a class that inherits from RoleManager (via Folder).
    John> It defined additional roles, including 'Administrator'.  I
    John> would like the Administrator to be able to view management
    John> screens and create objects of certain types, but not be able
    John> to delete or rename objects of certain types.

A followup - I've learned a bit more and realized I made a mistake in
the code I posted so I want to focus my question.

Goal: allow authenticated users with Role 'Administrator' or 'Manager'
      to access the manage_main screen of my instance, but disallow
      non-authenticated users or users with other roles.

I've learned that ClassSecurityInfo supersedes __ac_permissions__, so
I'm focusing my energies here

In the example below, RestrictedFolder derives from Folder

Example 1: I can access manage_main w/o no passwd authentication.  I
           want to be prompted for passwd and given access if user has
           role Administrator or Manager

    class Workflow(RestrictedFolder):
        """
        The base folder
        """
        meta_type="Workflow"

        __ac_roles__=('Manager', 'Administrator', 'Researcher', 'Reviewer')

        #permission = 'View management screens'
        permission = 'View'
        roles = ('Manager', 'Administrator')
        security = ClassSecurityInfo()
        security.setDefaultAccess('deny')

        def __init__(self, id=None):
            # snip
            pass

        security.setPermissionDefault(permission, roles)
        security.declareProtected(permission, 'manage_main')
        def manage_main(self, *args, **kwargs):
            'does this need to be overridden to have security apply to it?'
            return RestrictedFolder.manage_main(self, *args, **kwargs)
    InitializeClass(Workflow)

Example 2: a user with Role Administrator cannot access manage_main,
           the following error is produced (passwd is correct for this
           user)

    You are not authorized to access this resource.

    Username and password are not correct. (Also, an error occurred
    while attempting to render the standard error message.)

In this example, the code is the same as above, but I've reversed
the permission comment.  That is, permission = 'View management screens'

I am calling InitializeClass(RestrictedFolder).  I am refreshing my
product and restarting my browser with each test.  Changing the
default from 'deny' to 'allow' produces almost the same result (the
only difference is in example 2 I don't get the part about the
standard error message_

I'm clearly missing something fundamental.  What?  I've read and
reread the Security sections of the ZDG and Zope Book, to no avail.


Thanks!
John Hunter
zope-2.7


More information about the Zope mailing list