[Zope3-Users] Re: how to know if a principal has the right permissions

Lorenzo Gil Sanchez lgs at sicem.biz
Mon Aug 28 14:44:31 EDT 2006

El lun, 28-08-2006 a las 20:35 +0200, Philipp von Weitershausen

> Ack. Just get the current interaction with
> zope.security.management.getInteraction(). With this code you're
> hard-wiring yourself to the security policy in zope.app.securitypolicy.
Thanks, that's good to know.

> Right. Because you're not supposed to poke at __data. The two
> underscores should scare you off!
> By the way, this is a rule of thumb:
> Whenever you get ForbiddenAttribute errors, you're doing something
> wrong. Either:
>   1. you're missing security declarations
>   2. you're accessing something that purposely has no security
>      declarations because you're not supposed to access it.
> Most of the times when newbies hit ForbiddenAttribute, it's #1. In your
> case it's #2.
> If you would take advantage of interfaces and look at IContainer, you
> would see that contianers are like mappings (=dictionaries). Therefore,
> in order to add something in the container, you need to be able to
> access the __setitem__ method. Check for that and you'll be all set.
Sorry, my fault: I forgot to mention that I *did try*
zope.security.canWrite(obj, '__setitem__') before and it always returns
False, no matter if I try with the right user.

That's why I started to poke with '__data' which I know was going to be
a hack. By the way, by your rule of thumb I should not play with
'__setitem__' neiter (e.g. it has four underscores).


More information about the Zope3-users mailing list