[Zope3-dev] how-to stop permission propagation to sublocations
Adam Groszer
agroszer at gmail.com
Thu Aug 23 09:56:10 EDT 2007
Hi,
I ended up in overriding the permission storage map. This might not be
so conservative, but seems to work. Kills any not ALLOWED permission
and stops propagation.
ALLOWED = ['zope.View', 'zope.app.dublincore.view', ...]
class trashPermManager(AnnotationPrincipalPermissionManager):
def getSetting(self, permission_id, principal_id, default=Unset):
if permission_id in ALLOWED:
return AnnotationPrincipalPermissionManager.getSetting(
self, permission_id, principal_id, default)
else:
return Deny
<adapter
for=".interfaces.ITrashContainer"
provides="zope.app.securitypolicy.interfaces.IPrincipalPermissionMap"
factory=".adapter.trashPermManager"
/>
> In a similar use-case, yes, I set up all relevant permissions for a `new
> arrival` using a subscriber - including denying permissions on
> sub-objects. I felt that being explicit about my security design was a
> good decision.
> Hope that helps.
> Darryl
--
Best regards,
Adam mailto:agroszer at gmail.com
More information about the Zope3-dev
mailing list