[Zope3-Users] PAU, how to grant roles to groups

FB fbo2 at gmx.net
Fri Sep 8 05:55:47 EDT 2006

On Fri, Sep 08, 2006 at 10:12:34AM +0400, Denis Shaposhnikov wrote:
> >>>>> "Stephan" == Stephan Richter <srichter at cosmos.phy.tufts.edu> writes:
>  Stephan> You cannot grant permissions via ZCML to principals that are
>  Stephan> located in the ZODB. You have to use the "Grant" view of the
>  Stephan> folder for this.
> Oh, that's a bad news. Am I right that Zope3 have principals either

Principals in Zope3 are identified by simple text strings (e.g.
zope.Manager). When a request is processed by the zope server, it tries to
find a IAuthentication utility which has a method to provide credentials
(username, password) returning a principal object which is not persistent
(-> changing attributes on that object wont affect anything after that

Problem ist: When the ZCML-tree is parsed, any <grant>-statement tries to verify,
if a given principal exists. This verification fails for principals provided
by a a PAU- or another Site-Manager-registered IAuthentication utility.

If you want to assign a permission to a principal for the whole zodb, just
do that for the root folder and it will be inherited down the traverse path.


 from zope.app.securitypolicy.interfaces import IPrincipalPermissionManager
 from zope.app import zapi


The permission-principal-assignment is stored as a simple text-tuple - there's no
check for validity of wither the principal's or the permission's id.



More information about the Zope3-users mailing list