Mailing List Archive

View permissions not triggering
Hi,

I'm working on a view for "logged_in". I thought I could simply replace
the current check for an anonymous by a view permission such as
"cmf.AddPortalContent" but no matter what I set the view remains callable
by a non-authenticated user. Are the permissions being ignored or have I
got the wrong end of the stick?

Charlie
--
Charlie Clark
Managing Director
Clark Consulting & Research
German Office
Helmholtzstr. 20
Düsseldorf
D- 40215
Tel: +49-211-600-3657
Mobile: +49-178-782-6226
_______________________________________________
Zope-CMF maillist - Zope-CMF@zope.org
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: View permissions not triggering [ In reply to ]
Hi!


Charlie Clark wrote:
> I'm working on a view for "logged_in". I thought I could simply replace
> the current check for an anonymous

Which "current check" do you mean? Right now there is no logged_in view
so there is no permission check for a logged_in view.

> by a view permission such as
> "cmf.AddPortalContent" but no matter what I set the view remains callable
> by a non-authenticated user. Are the permissions being ignored or have I
> got the wrong end of the stick?

In case you are modifying the permission for the logged_in *action*
you've got the wrong end.


Cheers,

Yuppie
_______________________________________________
Zope-CMF maillist - Zope-CMF@zope.org
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: View permissions not triggering [ In reply to ]
Am 26.06.2010, 16:03 Uhr, schrieb yuppie <y.2010@wcm-solutions.de>:

Hiya yuppie,

I guess it's only appropriate that you replied to this.

> Which "current check" do you mean? Right now there is no logged_in view
> so there is no permission check for a logged_in view.

In the PythonScript logged_in.py the following check is performed:

isAnon = mtool.isAnonymousUser()
if isAnon:
context.REQUEST.RESPONSE.expireCookie('__ac', path='/')
options['is_anon'] = True
options['title'] = _(u'Login failure')
options['admin_email'] = ptool.getProperty('email_from_address')

>> by a view permission such as
>> "cmf.AddPortalContent" but no matter what I set the view remains
>> callable
>> by a non-authenticated user. Are the permissions being ignored or have I
>> got the wrong end of the stick?

> In case you are modifying the permission for the logged_in *action*
> you've got the wrong end.

No, I mean the permission set in the zcml view registration. As previously
discussed, I don't think "logged_in" and "logged_out" should be portal
actions as they are states.

Charlie
--
Charlie Clark
Managing Director
Clark Consulting & Research
German Office
Helmholtzstr. 20
Düsseldorf
D- 40215
Tel: +49-211-600-3657
Mobile: +49-178-782-6226
_______________________________________________
Zope-CMF maillist - Zope-CMF@zope.org
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: View permissions not triggering [ In reply to ]
On Sat, Jun 26, 2010 at 4:08 PM, Charlie Clark
<charlie.clark@clark-consulting.eu> wrote:
> No, I mean the permission set in the zcml view registration. As previously
> discussed, I don't think "logged_in" and "logged_out" should be portal
> actions as they are states.

What exact zcml registration do you use? A browser:page or a
browser:view directive?

Browser pages should handle permissions just fine. Browser views don't
support the permission attribute in Zope2 / Five. This feature has
just never been implemented. See
https://bugs.launchpad.net/zope2/+bug/578326 for a recent report.

Hanno
_______________________________________________
Zope-CMF maillist - Zope-CMF@zope.org
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
Re: View permissions not triggering [ In reply to ]
Am 26.06.2010, 16:57 Uhr, schrieb Hanno Schlichting <hanno@hannosch.eu>:

> What exact zcml registration do you use? A browser:page or a
> browser:view directive?
> Browser pages should handle permissions just fine. Browser views don't
> support the permission attribute in Zope2 / Five. This feature has
> just never been implemented. See
> https://bugs.launchpad.net/zope2/+bug/578326 for a recent report.

Hi Hanno,

It's a browser page:

<browser:page
for="Products.CMFCore.interfaces.ISiteRoot"
layer="Products.CMFDefault.interfaces.ICMFDefaultSkin"
name="logged_in.html"
class=".authentication.LoggedIn"
permission="cmf.ListPortalMembers"
/>

I've tried various permissions - just need one the lowest level that
members have but no dice.

FWIW this is on trunk.

Charlie
--
Charlie Clark
Managing Director
Clark Consulting & Research
German Office
Helmholtzstr. 20
Düsseldorf
D- 40215
Tel: +49-211-600-3657
Mobile: +49-178-782-6226
_______________________________________________
Zope-CMF maillist - Zope-CMF@zope.org
https://mail.zope.org/mailman/listinfo/zope-cmf

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests