Hi,
I ended up in overriding the permission storage map. This might not be
so conservative, but seems to work. Kills any not ALLOWED permission
and stops propagation.
ALLOWED = ['zope.View', 'zope.app.dublincore.view', ...]
class trashPermManager(AnnotationPrincipalPermissionManager):
def getSetting(self, permission_id, principal_id, default=Unset):
if permission_id in ALLOWED:
return AnnotationPrincipalPermissionManager.getSetting(
self, permission_id, principal_id, default)
else:
return Deny
<adapter
for=".interfaces.ITrashContainer"
provides="zope.app.securitypolicy.interfaces.IPrincipalPermissionMap"
factory=".adapter.trashPermManager"
/>
> In a similar use-case, yes, I set up all relevant permissions for a `new
> arrival` using a subscriber - including denying permissions on
> sub-objects. I felt that being explicit about my security design was a
> good decision.
> Hope that helps.
> Darryl
--
Best regards,
Adam mailto:[EMAIL PROTECTED]
_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com
