Re: [Zope3-Users] How to allow one user to access only his object
Hi. It worked. interesting. I appreciate, TAHARA. > from zope.app.session.interfaces import ISession > > PACKAGE_NAME = 'your application name' > > class MessageEditView: > > def __init__(self, context, request): > > session = ISession(request)[PACKAGE_NAME] > > password = request.get('password') > if password is None: > password = session.get('password') > > message = getMessage(context, password) # please implement this:) > > session['password'] = password > > self.context = message # trick1 > self.request = request > self._setUpWidgets() > > label="Edit Message" > name="edit.html" > for="IMessageBoard" > schema="IMessage" <-- trick2 > class="MessageEditView" > permission="zope.ManageContent" > menu="zmi_views" > title="Edit Message" > /> > """ > ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
I got another trouble. I succeeded to show edit.html, but I could not edit actaully. edit.html is an editview page. So, the html has post tag like http://.../messageboardobject/edit.html";> Therefore, same traverser trys to receive this posted action, and trys to check password again (actually, and id) to find message object. Therefore, I have to pass password and id which was posted before at password.html using hidden field or some ways. Or, I have to specify different page for . I have no idea how editview's post action is working, so I am not sure specifying different page for post action works, though. How can I resolve this problem? If anyone have any idea, please let me know. Thanks. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
Hi. I made a traverser for Message objects also, and I prohibited access to editview.html at there. It worked. Thank you, TAHARA. from zope.publisher.interfaces import NotFound from zope.app import zapi from zope.app.container.traversal import ContainerTraverser from zope.publisher.interfaces import IPublishTraverse class MessageBoardTraverser(ContainerTraverser): __used_for__ = IMessageBoard def publishTraverse(self, request, name): if name == 'edit.html': subob = self._guessTraverse(request, name) if subob is not None: view = zapi.queryMultiAdapter((subob, request), name=name) if view is not None: return view raise NotFound(subob, name, request) return super(ConferenceTraverser, self).publishTraverse(request, name) def _guessTraverse(self, request, name): msgs = IMessageBoard(self.context).items() passwd = request['field.passwd'] for name, msg in msgs: if passwd == msg.passwd: return msg return None class MessageTraverser(object): implements(IPublishTraverse) __used__for__ = IMessage def __init__(self, context, request): self.context = context self.request = request def publishTraverse(self, request, name): if name == 'edit.html': raise NotFound(self.context, name, request) view = zapi.queryMultiAdapter((self.context, request), name=name) if view is not None: return view raise NotFound(self.context, name, request) ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
Sorry, this code did not make sense. This code trys to traverse 'messageboardobject/messageobject/edit.html' also. I could access directly. I tried to reject only this by replacing else: to elif string.find(name, 'editmine.html') == -1: But, name value receives only 'messageobject' in this case, right? How can I reject only 'messageboardobject/messageobject/edit.html' It looks there are smarter ways. > def publishTraverse(self, request, name): > if name == 'edit.html': > subob = self._guessTraverse(request, name) > if subob is not None: >view = zapi.queryMultiAdapter((subob, request), > name=name) >if view is not None: >return view > raise NotFound(subob, name, request) > > else: > subob = self.context.get(name, None) > if subob is None: > view = zapi.queryMultiAdapter((self.context, request), > name=name) > if view is not None: > return view > > raise NotFound(self.context, name, request) > > return subob ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
Hi. At this post method, do I redirect to a URL like ./edit.html?field.passwd=KDJFKJA ? It is not cool. Are there any ways? Why you don't post to "edit.html" from "password.html"? Yes, it worked. It seems I was being confused. zapi.queryView has been deprecated. You should use queryMultiAdapter. queryMultiAdapter((self.context, request), name=name) Okay, but, why returning a message object (subob) does not work? I just want to know. It is weird. if MessageBoardTraverser works well, you can protect "edit.html" from invalid access. It seems I was misunderstanding again. Yes, it prohibited the direct access http://localhost:8080/messageboardobject/messageobject/edit.html, rather, it prohibits all access under /messageobject/. I have other views like http://.../messageboardobject/messageobject/show.html. So, I added codes to publishTraverse() by imitating parent's ContainerTraverse like def publishTraverse(self, request, name): if name == 'edit.html': subob = self._guessTraverse(request, name) if subob is not None: view = zapi.queryMultiAdapter((subob, request), name=name) if view is not None: return view raise NotFound(subob, name, request) else: subob = self.context.get(name, None) if subob is None: view = zapi.queryMultiAdapter((self.context, request), name=name) if view is not None: return view raise NotFound(self.context, name, request) return subob After 'else:' this is traversing everything if there is accesses like 'messageboardobject/messageobject/show.html' except 'messageboardobject/edit.html'. Is this the most efficient way? And, why returning subob works here, and it did not work before (inside of 'if name == 'edit.html':'). How should I understand what returning subob does. This is optional question. If you know this, please let me know. Thanks. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
Hi. class MessageTraverser: implements(IPublishTraverse) __used_for__ = IMessage def publishTraverse(self, request, name): if name == 'edit.html': # verify password and return a message or raise NotFoundError. How do I pass POSTed value to publishTraverse's request? from zope.publisher.interfaces import NotFound from zope.app import zapi from zope.app.container.traversal import ContainerTraverser class MessageBoardTraverser(ContainerTraverser): __used_for__ = IMessageBoard def publishTraverse(self, request, name): if name == 'edit.html': subob = self._guessTraverse(request, name) if subob is not None: view = zapi.queryView(subob, name, request) if view is not None: return view raise NotFound(self.context, name, request) view = zapi.queryView(self.context, name, request) if view is not None: return view raise NotFound(self.context, name, request) def _guessTraverse(self, request, name): msgs = IMessageBoard(self.context).items() passwd = request['field.passwd'] for name, msg in msgs: if passwd == msg.passwd: return msg return None --- class Classname(object): def post(self): nexturl = './edit.html' self.request.response.redirect(nexturl) At this post method, do I redirect to a URL like ./edit.html?field.passwd=KDJFKJA ? It is not cool. Are there any ways? Furthermore, returning object in publishTraverse() did not work. I had to create a view like zapi.queryView(subob, name, request). Why? Am I missing something? Furthermore, can I prohibit users to access directly as http://localhost:8080/messageboardobject/messageobject/edit.html? It looks I have to keep open this URL so that Traverser can open this. But, if this is possible, nothing was changed from before. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] How to allow one user to access only his object
Hi. I have one more question. Imagine there are a MessageBoard and many Message objects. I would like to allow users to modify only his message as common message board if user type a password for the message. I made a view to show forms to be typed password, and I processed POSTed values, and I redirected to the message object's editview like class Classname(object): def post(self): messages = IMessageBoard(self.context).items() passwd = self.request['field.passwd'] for name, message in messages: if message.passwd == passwd: nexturl = absoluteURL(message, self.request) self.request.response.redirect(nexturl+'/edit.html') break However, it does not make sense because users can access directly by just typing URL like http://localhost:8080/messageboardobject/messageobject/edit.html even if he does not know password. I learned principals, permission, roles, but they do not help this. Furthermore, I learned user management, but it does not help this also because I could just differenticate Member and Visitor, and it does not mean I can differentiate all messages' roles. This is easy problem in normal web application. Scripts which receive POST just print out new html (in this case Classname.post). However, I would like to use browser:editview and I have only idea, redirecting, to show the editview. If you have any idea. Please let me know. Thanks. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
[Zope3-Users] How to pass an added object to redirected page
I would like to make a page like that users can make sure what they inputted at addform page. Now, my codes are simply like And, in the specified class name, class Classname: def nextURL(self): return 'nexturl.html' So, this is just redirecting to different page after users add object. I have no idea to access to the data of the added object at 'nexturl.html'. If possible, I can show what users inputted. I tried to use subscriber and IObjectAddedEvent. Now, I can access to the 'now' added object, but I can not redirect to diffrent page in this time because I could not use self.request (.response.redirect) If you have any idea, please let me know. Thanks. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users