[Zope] restricting permissions for direct access only

Lennart Regebro regebro at gmail.com
Sat Feb 11 05:43:28 EST 2006

On 2/11/06, Michael Shulman <shulman at mathcamp.org> wrote:
> Is there a way in Zope to restrict permissions for direct access only
> (i.e. calling an object through the web) but still allow indirect
> access (i.e. executing an object that was called by another object
> that was called through the web)?

Yes. If that "other object" is disk-based python, it is most likely
able to do it already. If it is a python-script, you can set it up to
have a proxy role. That way your auxiliary scripts can all require
manager roles, and you can give the scripts that need to call them the
Manager proxy-role

> Feel free to tell me that I am misunderstanding the way security
> works, or is supposed to work, in Zope, or that if this is something I
> need to do I am designing my site incorrectly from the point of view
> of Zope security (and if so, what is the correct way to design it?).

No you seem to have got it. Although the next time you do something
that complex you might want to look into making a disk-based prodct
instead. It's often easier for complex features.

Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/

More information about the Zope mailing list