[Zope3-Users] Denying permissions for 'everybody' - which principals to use?

Jeff Shell eucci.group at gmail.com
Wed Nov 16 15:38:37 EST 2005


For a simple content management system we're building, I've started
working on a simple security interface which is supposed to enable /
disable 'view' (and dublin core view). The setup that I have - or want
to have - is a UI that says:

Who can see this item?

- Everybody
- Nobody (grants view to zope.Manager and our.cms.ContentEditor roles
only, for now)
- Specific Users

If 'specific users' is selected, users from the local principal folder
are listed for selection.

I seem to have my implementation working somewhat - I can go to the
normal Grant screen and see specific users have 'Allow' checked for
the view permissions managed by my sharing view. And 'zope.anybody' is
denied:

>>> pprint(settingsForObject(jobs))
[(u'jobs',
  {'principalPermissions': [{'permission': 'zope.View',
                             'principal': u'brcmscms.user2',
                             'setting': PermissionSetting: Allow},
                            {'permission': 'zope.View',
                             'principal': 'zope.anybody',
                             'setting': PermissionSetting: Deny},
                            {'permission': 'zope.app.dublincore.view',
                             'principal': u'brcmscms.user2',
                             'setting': PermissionSetting: Allow},
                            {'permission': 'zope.app.dublincore.view',
                             'principal': 'zope.anybody',
                             'setting': PermissionSetting: Deny}],
   'principalRoles': [],
   'rolePermissions': []}),
  ...

When I traverse to the object in question in another browser, I get
prompted for login. But if I supply different credentials (ie, one of
the users not Allowed explicit view privileges), I'll still see the
page.

Am I denying the right person here? Globally, the permission is set up
as follows:

                       {'permission': 'zope.View',
                        'role': 'zope.Anonymous',
                        'setting': PermissionSetting: Allow},

Should I Deny access to the zope.Anonymous role? To the Everybody
group? To the Unauthenticated Group? Right now, I only deny the
principal:

    def denyUnauthenticated(self):
        """ Explicitly deny the view permissions for unauthenticated users. """
        anybody = zapi.getUtility(IUnauthenticatedPrincipal).id
        pmanager = IPrincipalPermissionManager(self.context)
        for permission in self._view_permissions:
            pmanager.denyPermissionToPrincipal(permission, anybody)

This is in Zope 3.1.0 on Python 2.3.5

The point of this simple 'sharing' interface is to let our customer
have a press folder that they can restrict access to by allowing only
limited people in to it. We're trying to keep the user interface as
simple as possible.


More information about the Zope3-users mailing list