Log in
Forgot your password?
History for UserAuthorization
??changed:- Once a user has been identified, it needs to be authorized to perform an action. AccessControl/ImplPython.py contains the Python implementation of SecurityManager o User.py validate(request, auth, roles): # at this stage, *roles as already been established* in ZPublisher/BaseRequest.py roles =getattr(object, '__roles__', UNSPECIFIED_ROLES) o def validate(object, container, name, value, roles):: # We found a user and the user wasn't the emergency user. # We need to authorize the user against the published object. if self.authorize(user, a, c, n, v, roles): ... o def authorize(user, object, container, name, value, roles) o getSecurityManager().validate() o For more information about SecurityManager see http://www.zope.org/Members/jim/ZopeSecurity/SecurityManager/wikipage_view o ImplPython/SecurityManager.validate o self._policy.validate(object, container, name, value, self._context, roles) o Note that ZopeSecurityPolicy.py is empty. All the logic is in AccessControl/ImplPython.py o ImplyPython/ZopeSecurityPolicy.validate o The simplest case uses:: context.user.allowed(value, roles) o which calls User.py/BasicUser.allowed o def allowed(object, object_roles):: Matches user.getRoles() with object.__roles__ user_roles = user.getRoles() for role in object_roles: if role in user_roles: # see note about _check_context below if self._check_context(object): return 1 o *_check_context* o Check that 'object' exists in the acquisition context of the parent of the acl_users object containing this user, to prevent "stealing" access through acquisition tricks. # Return true if in context, false if not or if context # cannot be determined (object is not wrapped).