[Zope3-Users] Re: how to know if a principal has the right permissions

Philipp von Weitershausen philipp at weitershausen.de
Mon Aug 28 14:49:52 EDT 2006

Lorenzo Gil Sanchez wrote:
>> Right. Because you're not supposed to poke at __data. The two
>> underscores should scare you off!
>> By the way, this is a rule of thumb:
>> Whenever you get ForbiddenAttribute errors, you're doing something
>> wrong. Either:
>>   1. you're missing security declarations
>>   2. you're accessing something that purposely has no security
>>      declarations because you're not supposed to access it.
>> Most of the times when newbies hit ForbiddenAttribute, it's #1. In your
>> case it's #2.
>> If you would take advantage of interfaces and look at IContainer, you
>> would see that contianers are like mappings (=dictionaries). Therefore,
>> in order to add something in the container, you need to be able to
>> access the __setitem__ method. Check for that and you'll be all set.
> Sorry, my fault: I forgot to mention that I *did try*
> zope.security.canWrite(obj, '__setitem__') before and it always returns
> False, no matter if I try with the right user.

Why canWrite? You're not trying to *set* __setitem__! You should be
checking for canAccess(container, '__setitem__'). People who want to add
stuff to a container want to *call* container.__setitem__(...). I
suggest you read up on the Python mapping API.

> That's why I started to poke with '__data' which I know was going to be
> a hack. By the way, by your rule of thumb I should not play with
> '__setitem__' neiter (e.g. it has four underscores).

You did not understand my rule of thumb. Read the rule of thumb again
and check whether it contains any mentionings of underscores. It
doesn't. It's about ForbiddenAttribute errors, not underscores. And if
you'd know your Python, you'd know __setitem__ is a standard mapping API


More information about the Zope3-users mailing list