[Zope3-Users] How to allow one user to access only his object
Naotoshi Seo
sonots at sonots.com
Fri Oct 21 01:19:58 EDT 2005
Hi. I have one more question.
Imagine there are a MessageBoard and many Message objects.
I would like to allow users to modify only his message as common message
board if user type a password for the message.
I made a view to show forms to be typed password, and I processed POSTed
values, and I redirected to the message object's editview like
<pages
....
class=".modulename.Classname"
....
>
<page
name="password.html"
template="password.pt"
/>
<page
name="whatever"
attribute="post"
/>
class Classname(object):
def post(self):
messages = IMessageBoard(self.context).items()
passwd = self.request['field.passwd']
for name, message in messages:
if message.passwd == passwd:
nexturl = absoluteURL(message, self.request)
self.request.response.redirect(nexturl+'/edit.html')
break
However, it does not make sense because users can access directly by
just typing URL like
http://localhost:8080/messageboardobject/messageobject/edit.html even if
he does not know password.
I learned principals, permission, roles, but they do not help this.
Furthermore, I learned user management, but it does not help this also
because I could just differenticate Member and Visitor, and it does not
mean I can differentiate all messages' roles.
This is easy problem in normal web application. Scripts which receive
POST just print out new html (in this case Classname.post). However, I
would like to use browser:editview and I have only idea, redirecting, to
show the editview.
If you have any idea. Please let me know. Thanks.
More information about the Zope3-users
mailing list