Previous Chapter | Next Chapter | Up | Next Section | Contents

Creating and Managing Permissions


Zope manages security though a system of permissions and roles. Users are assigned roles and objects have permissions. Through the management interface you can bind permissions to roles for specific objects. See the Zope Content Manager's Guide for more information about security.

For our purposes, you should understand that a class's permissions define collections of methods which are grouped together in functional groups. In other words, you should think of you class as providing a number of discrete services. For each service you should provide a permission which controls access to the service.

Using Z Classes your job is to define permissions for your class so that access controls can be set on instances of your class.

The first step in defining your class's permissions should be to create methods and Property Sheets for your class. After your class can do something, then you should decide how to describe what it can do in terms of permissions. You must figure out if your methods should be covered by existing permissions of whether it would be better to create new permissions. For example if your class has an "index_html" method, this method is used to view instances of the class, so you can probably use the existing "View" permission with this method. If your class defines a number of methods for accessing remote servers, you might want to create a new permission for these methods called something like "Access remote server". A common Zope convention is to have a permission for adding objects of a given class and another for general managing of these objects. If your class's meta_type is "My Object" then these permissions would be named "Add My Objects" and "Change My Objects".

To control what permission a given method is bound to, click the "Define Permissions" tab while managing the class's permission. You will be presented with a form which maps the method's permissions to the class's permissions. This looks complex but in general you will only want to bind one permission of the method to a permission. In the case of DTML Methods this will be the "View" method. The reason for this is that you really only want instances of your class to be able to "View" a DTML Method. An instance should not be able to perform other actions on its methods such as editing them.

 

"Define Permissions" management screen for a Z Class method.

Property Sheets can be mapped to class permissions in exactly the same way as Methods are mapped to class permissions. While editing a Property Sheet click the "Define Permissions" tab. You will be presented with permission mapping management screen. In general you will want to map all Property Sheet permissions to identical class permissions in order to make your Property Sheets fully accessible from class instances.

To create entirely new permissions you should add Zope Permission objects to your Product folder. When creating new permissions you should keep in mind that the permission names need to be unique. In general you should limit the number of new permissions you create to the smallest reasonable number. By doing so you make it easier for managers to control the security settings of instances of your class.

You can control which permissions are available to your Z Class by going to the "Permissions" management tab. Your class inherits permissions from its base classes, so it may not be necessary to add new permissions.

Additionally Z Classes have a "Define Permissions" view which allows you to map permissions to operations of the Z Class itself. In general the only operation you should expose is the "Create class instances" operation which should be bound to a permission which is used for initialization. Zope will normally handle this detail for you, for example, in the CD class example, Zope automatically creates a "Add CDs" permission and maps "Create class instances" to this permission.

Previous Chapter | Next Chapter | Up | Next Section | Contents

Banner.Novgorod.Ru