[Zope3-dev] how-to stop permission propagation to sublocations

Adam Groszer agroszer at gmail.com
Thu Aug 23 09:56:10 EDT 2007


I ended up in overriding the permission storage map. This might not be
so conservative, but seems to work. Kills any not ALLOWED permission
and stops propagation.

ALLOWED = ['zope.View', 'zope.app.dublincore.view', ...]

class trashPermManager(AnnotationPrincipalPermissionManager):
    def getSetting(self, permission_id, principal_id, default=Unset):
        if permission_id in ALLOWED:
            return AnnotationPrincipalPermissionManager.getSetting(
                self, permission_id, principal_id, default)
            return Deny

> In a similar use-case, yes, I set up all relevant permissions for a `new
> arrival` using a subscriber - including denying permissions on
> sub-objects. I felt that being explicit about my security design was a
> good decision.

> Hope that helps.
> Darryl

Best regards,
 Adam                            mailto:agroszer at gmail.com

More information about the Zope3-dev mailing list