[Zope3-Users] Re: Comflicting security annotations

Philipp von Weitershausen philipp at weitershausen.de
Tue Nov 14 13:25:26 EST 2006

FB wrote:
> what is Zope supposed to do, when there are conflicting security annotations
> applied to an object?

That depends on the implementation of your security policy. It decides 
if a principal has a permission for a given context or not.

> I'd like to make an object inaccessible - except for members of a given role.
> This is how it should look like:
>   grantPermissionToRole('zope.View','role.admins',Allow)
>   denyPermissionToRole('zope.View','zope.Anybody',Deny)
> Is this possible?

The zope.app.securitypolicy.interfaces.IRolePermissionManager adapter 
seems to do what you want. The spelling is essentially the same except 
for that redudant third parameter. Use IPrincipalPermissionManager if 
you want to grant/deny permissions to a principal (or group).

> If not, why? Maybe there's a more elegant solution?
> 'zope.Anybody' is defined as a "group" in etc/principals.zcml. Can I
> use it like a role?

No. Groups are principals which means you can grant or deny permissions 
to all principals within that group by working on the group.

> Is there a role, any anonymous user *and* any authenticated user is
> automagically assigned to?

Not that I know of, but I figure you could easily make one that is. Of 
course, you could always use the zope.Anybody group to represent all 
principals. I think groups are the more sensible thing to use here.

http://worldcookery.com -- Professional Zope documentation and training

More information about the Zope3-users mailing list