[Zope3-Users] PAU, how to grant roles to groups

FB fbo2 at gmx.net
Fri Sep 8 05:55:47 EDT 2006


On Fri, Sep 08, 2006 at 10:12:34AM +0400, Denis Shaposhnikov wrote:
> >>>>> "Stephan" == Stephan Richter <srichter at cosmos.phy.tufts.edu> writes:
> 
>  Stephan> You cannot grant permissions via ZCML to principals that are
>  Stephan> located in the ZODB. You have to use the "Grant" view of the
>  Stephan> folder for this.
> 
> Oh, that's a bad news. Am I right that Zope3 have principals either
> ZODB or ZCML?

Principals in Zope3 are identified by simple text strings (e.g.
zope.Manager). When a request is processed by the zope server, it tries to
find a IAuthentication utility which has a method to provide credentials
(username, password) returning a principal object which is not persistent
(-> changing attributes on that object wont affect anything after that
request).

Problem ist: When the ZCML-tree is parsed, any <grant>-statement tries to verify,
if a given principal exists. This verification fails for principals provided
by a a PAU- or another Site-Manager-registered IAuthentication utility.

If you want to assign a permission to a principal for the whole zodb, just
do that for the root folder and it will be inherited down the traverse path.

Example:

 from zope.app.securitypolicy.interfaces import IPrincipalPermissionManager
 from zope.app import zapi

 root=zapi.getRoot(context)
 ppm=IPrincipalPermissionManager(root)
 ppm.grantPermissionToPrincipal('zope.ManageContent','my.principal')

The permission-principal-assignment is stored as a simple text-tuple - there's no
check for validity of wither the principal's or the permission's id.

Regards,

Frank


More information about the Zope3-users mailing list