[Zope3-dev] how-to stop permission propagation to sublocations

Darryl Cousins darryl at darrylcousins.net.nz
Thu Aug 23 08:09:48 EDT 2007


On Thu, 2007-08-23 at 08:31 +0200, Adam Groszer wrote:
> Hello Christian,
> Thanks, tried that. The problem is when new users "arrive", they get
> ModifyContent permission in the site root. Now I shall add a
> subscriber for the new_user event or denying ModifyContent from
> Authenticated users should be enough? I am still a bit puzzled.

In a similar use-case, yes, I set up all relevant permissions for a `new
arrival` using a subscriber - including denying permissions on
sub-objects. I felt that being explicit about my security design was a
good decision.

Hope that helps.

> Thursday, August 23, 2007, 7:12:12 AM, you wrote:
> > Am Mittwoch, den 22.08.2007, 21:00 +0200 schrieb Adam Groszer:
> >> Hello,
> >> 
> >> Is there a sane way to stop permission propagation to sublocations?
> >> Let's say I have a site, and somewhere below there is a folder as a
> >> trashcan, unneeded objects get moved to here. Users must not modify
> >> objects in the trash. Users usually will get ModifyContent permission
> >> at the site level.
> >> The easiest way seems to stop propagation of the permission
> >> ModifyContent at the trashcan level. But how? Anybody done something
> >> like this already?
> > Permissions can be set to 'yes' or 'no' or be 'unset'. Using those three
> > states in combination with the default 'propagation' should give you
> > what you want. If you set 'ModifyContent' to 'No' on the trash and the
> > content's permission is not explicitly set then that should fit your
> > situation.
> > Christian

More information about the Zope3-dev mailing list