[Zope3-dev] local grants don't work properly for objects with object fields

Andreas Reuleaux reuleaux at web.de
Fri Jan 27 15:14:40 EST 2006 

Local grants (i. e. roles/permissions granted to local users of a
site) don't work properly for objects with objects fields (i. e. when
trying to acces objects that have somefield=Object(...) entries in
their interface definition).

I have provided a short description of the problem below and have
already prepared a complete example demonstrating the problem in a
step by step manner, but that seems better suited for a bug report to
me. - Has anyone experienced the same problem (below) and has some
good advice, otherwise I am going to submit a bug report.

Short description of the problem (I have used a family
example - this is how I originally learned about Object fields
and widgets, cf. e. g. Zope3/src/zope/app/form/browser/objectwidget.txt
and messages on the zope3-users mailing list):

* Create two different components with and without Object(...) fields,
  say family and simplefamily.

* protect them with families.View and families.Edit permissions,
  respectively grant these permissions to families.Reader and
  families.Editor roles

* create a folder say "myfolder" and within that folder some family
  and simplefamily objects.

* Make the folder a site and create some local users within that site.
  This involves creating a pluggable authentication utility (say pau)
  within the site management folder (registering it), a prinicpal
  folder (say users) within the pau (registering it, going back to the
  configuration of the pau now using the users utility as an
  authenticator plugin and Zope Realm Basic Auth as Credential
  plugins) and creating some prinicpals within the users principal
  folder (say a user "local").

* Go to myfolder > Grant, search for the newly created local user in
  /myfolder/++etc++site/default/pau/users and select him. Now grant
  him the families.Reader and families.Editor roles

* Create two more users say reader (with the families.Reader role) 
  and user (with families.Reader and families.Editor roles) 
  in your principals file.

* Now try to acces the two objects family and simplefamily with these
  three different users (in a different browser). Note that the
  "local" user of the site has the same roles (permissions) as the
  "user" from the principals file.

* Whereas in the case of simplefamily the "local" user and the "user"
  from the principals file both have the same behaviour (and that is
  correct), the "local" user can't view the family object - this seems
  a bug to me.

-Andreas

More information about the Zope3-dev mailing list