Discussion:
[Erp5-dev] checking view permission on an unaccessible object
Bartek Gorny
2006-11-14 17:26:06 UTC
Permalink
Hi

I have a funny problem: I have an object's path and I have to check if
I have a View permission on the object, but obviously sometimes I
don't have it, nor Access Content Information permission. The problem
is that to check permissions (by getSecurityManager().checkPermission
or other similar ways) I have to get the object, and I am not
authorized to do it. Then the "Unauthorized" exception is thrown.

I could try to catch the exception, but I'm doing it from a ZMI Python
script - to catch the exception I have to import its class, but in ZMI
importing Unauthorized is - well, unauthorized...

And I'm stuck. The only way I can think of to solve this problem is to
search for the object in portal_catalog (by relative_url) and see if
it returns something - does it make sense, or is it a waste of
resources?

Bartek
--
"Software is largely a service industry operating under the persistent
but unfounded delusion that it is a manufacturing industry."
Eric S.Raymond, "The Magic Cauldron"
Romain Courteaud
2006-11-14 17:55:14 UTC
Permalink
Post by Bartek Gorny
Hi
I have a funny problem: I have an object's path and I have to check if
I have a View permission on the object, but obviously sometimes I
don't have it, nor Access Content Information permission. The problem
is that to check permissions (by getSecurityManager().checkPermission
or other similar ways) I have to get the object, and I am not
authorized to do it. Then the "Unauthorized" exception is thrown.
I could try to catch the exception, but I'm doing it from a ZMI Python
script - to catch the exception I have to import its class, but in ZMI
importing Unauthorized is - well, unauthorized...
And I'm stuck. The only way I can think of to solve this problem is to
search for the object in portal_catalog (by relative_url) and see if
it returns something - does it make sense, or is it a waste of
resources?
You can use something like:

# Try to access the object
# If None is returned, you don't have access permission
obj = portal.restrictedTraverse(obj_path, None)
if obj is not None:
# You can access it, so test the permission you which
portal.portal_membership.checkPermission('Permission name', obj):

Romain
Bartek Gorny
2006-11-15 09:38:37 UTC
Permalink
Post by Romain Courteaud
Post by Bartek Gorny
Hi
I have a funny problem: I have an object's path and I have to check if
I have a View permission on the object, but obviously sometimes I
don't have it, nor Access Content Information permission. The problem
is that to check permissions (by getSecurityManager().checkPermission
or other similar ways) I have to get the object, and I am not
authorized to do it. Then the "Unauthorized" exception is thrown.
I could try to catch the exception, but I'm doing it from a ZMI Python
script - to catch the exception I have to import its class, but in ZMI
importing Unauthorized is - well, unauthorized...
And I'm stuck. The only way I can think of to solve this problem is to
search for the object in portal_catalog (by relative_url) and see if
it returns something - does it make sense, or is it a waste of
resources?
# Try to access the object
# If None is returned, you don't have access permission
obj = portal.restrictedTraverse(obj_path, None)
Great - the missing part was the second argument. Thanks a lot.

Bartek
Post by Romain Courteaud
# You can access it, so test the permission you which
Romain
_______________________________________________
Erp5-dev mailing list
Erp5-dev at erp5.org
http://erp5.org/mailman/listinfo/erp5-dev
--
"Software is largely a service industry operating under the persistent
but unfounded delusion that it is a manufacturing industry."
Eric S.Raymond, "The Magic Cauldron"
Loading...