[Zope3-Users] Re: how to know if a principal has the right permissions

Lorenzo Gil Sanchez lgs at sicem.biz
Mon Aug 28 15:11:39 EDT 2006

El lun, 28-08-2006 a las 20:49 +0200, Philipp von Weitershausen
> Lorenzo Gil Sanchez wrote:
> >> Right. Because you're not supposed to poke at __data. The two
> >> underscores should scare you off!
> >>
> >> By the way, this is a rule of thumb:
> >>
> >> Whenever you get ForbiddenAttribute errors, you're doing something
> >> wrong. Either:
> >>
> >>   1. you're missing security declarations
> >>
> >>   2. you're accessing something that purposely has no security
> >>      declarations because you're not supposed to access it.
> >>
> >> Most of the times when newbies hit ForbiddenAttribute, it's #1. In your
> >> case it's #2.
> >>
> >> If you would take advantage of interfaces and look at IContainer, you
> >> would see that contianers are like mappings (=dictionaries). Therefore,
> >> in order to add something in the container, you need to be able to
> >> access the __setitem__ method. Check for that and you'll be all set.
> >>
> > Sorry, my fault: I forgot to mention that I *did try*
> > zope.security.canWrite(obj, '__setitem__') before and it always returns
> > False, no matter if I try with the right user.
> Why canWrite? You're not trying to *set* __setitem__! You should be
> checking for canAccess(container, '__setitem__'). People who want to add
> stuff to a container want to *call* container.__setitem__(...). I
> suggest you read up on the Python mapping API.

Oh! that was a stupid error indeed :(

Using canAccess now just does the opposite: it always returns True. I
guess that's because when I register my container in the ZCML file I'm
using zope.Public for the whole interface. I should split my interface
in two interfaces, one for read-only attributes and one for write
attributes, like the IContainer does.

So instead of inheriting my INewsFolder interface from IContainer I
inherit from IReadContainer and I explicit say in the configure.zcml
that it also implements IWriteContainer. That way I can specify
different permission for read and write attributes.

Thanks a lot for your answers Philipp


More information about the Zope3-users mailing list