Discussion:
[Erp5-dev] related value list and permissions to objects
Bartłomiej Górny
2006-02-17 09:57:31 UTC
Permalink
Hi

Question: how to get a list of related objects, but only those to which
the current user has view permissions?

If I use portal_catalog, then it returns only objects to which I have
'view' permission, which is logical. But from what I see a function like
'getXXXRelatedValueList' returns a complete list, and then kicks me out
because I'm not allowed to view some of the objects returned. What's the
solution, if any?

Bartek
--
"Software is largely a service industry operating under the persistent
but unfounded delusion that it is a manufacturing industry."
Eric S.Raymond, "The Magic Cauldron"
Bartłomiej Górny
2006-02-17 14:07:39 UTC
Permalink
Post by Bartłomiej Górny
Hi
Question: how to get a list of related objects, but only those to which
the current user has view permissions?
If I use portal_catalog, then it returns only objects to which I have
'view' permission, which is logical. But from what I see a function like
'getXXXRelatedValueList' returns a complete list, and then kicks me out
because I'm not allowed to view some of the objects returned. What's the
solution, if any?
What I came up so far is:

from AccessControl import getSecurityManager

sm=getSecurityManager()

return [ob for ob in context.getXXXRelatedValueList() if
sm.checkPermission('View',ob)]

Plus, I have to have an 'Access content information' permission to an
object to be able to list it or check anything on it. Which, all in all,
makes some sense. Is this the right way to do it?

And, still, is there a shorthand way to get only 'allowed' object
without doing such 'manual' checks?

Bartek
Post by Bartłomiej Górny
Bartek
--
"Software is largely a service industry operating under the persistent
but unfounded delusion that it is a manufacturing industry."
Eric S.Raymond, "The Magic Cauldron"
Jérôme Perrin
2006-02-21 08:04:17 UTC
Permalink
Post by Bartłomiej Górny
Post by Bartłomiej Górny
Hi
Question: how to get a list of related objects, but only those to which
the current user has view permissions?
If I use portal_catalog, then it returns only objects to which I have
'view' permission, which is logical. But from what I see a function like
'getXXXRelatedValueList' returns a complete list, and then kicks me out
because I'm not allowed to view some of the objects returned. What's the
solution, if any?
from AccessControl import getSecurityManager
sm=getSecurityManager()
return [ob for ob in context.getXXXRelatedValueList() if
sm.checkPermission('View',ob)]
Plus, I have to have an 'Access content information' permission to an
object to be able to list it or check anything on it. Which, all in all,
makes some sense. Is this the right way to do it?
And, still, is there a shorthand way to get only 'allowed' object
without doing such 'manual' checks?
Hi

Actually, this is not a bug, but rather a 'feature', because we want this
method to return all related objects without security checks, this is for
example usefull if you want to know how many objects are related.
Also, this is consistent with the category accessor getXXXValue which also
returns objects you may not be able to access later.

Depending on your what you want to do, solution can be either to give the
script a proxy role (if you only need to access objects from one script), to
filter the list by hand (like you did) or to create a new Accessor using
ERP5Type framework if you think it's necessary.
--
J?rome
Loading...