[Zope3-Users] Re: how to know if a principal has the right permissions

Philipp von Weitershausen philipp at weitershausen.de
Mon Aug 28 14:35:10 EDT 2006

Lorenzo Gil Sanchez wrote:
> El dom, 27-08-2006 a las 23:53 +0200, Philipp von Weitershausen
> escribió:
>> zope.security.canAccess
>> zope.security.canWrite
> Nice, I didn't know about those and I ended writing my own solution:
>     def canAdd(self):
>         interaction = ZopeSecurityPolicy()
>         interaction.add(Participation(self.request.principal))

Ack. Just get the current interaction with
zope.security.management.getInteraction(). With this code you're
hard-wiring yourself to the security policy in zope.app.securitypolicy.

>         return interaction.checkPermission("zope.ManageContent",
> self.context)
> I'm trying to know if the user can add an item to a container. I don't
> know how to do that with zope.security.canWrite. I tried with
> zope.security.canWrite(self.context, '__data') 
> since my container inherits from SampleContainer and the '__data'
> attribute is a dictionariy like objet where the children are stored. I
> get a ForbiddenAttribute exception with that code.

Right. Because you're not supposed to poke at __data. The two
underscores should scare you off!

By the way, this is a rule of thumb:

Whenever you get ForbiddenAttribute errors, you're doing something
wrong. Either:

  1. you're missing security declarations

  2. you're accessing something that purposely has no security
     declarations because you're not supposed to access it.

Most of the times when newbies hit ForbiddenAttribute, it's #1. In your
case it's #2.

If you would take advantage of interfaces and look at IContainer, you
would see that contianers are like mappings (=dictionaries). Therefore,
in order to add something in the container, you need to be able to
access the __setitem__ method. Check for that and you'll be all set.


More information about the Zope3-users mailing list