FAQ - Security

1   How do I configure several classes with the same permissions?

Ref: http://mail.zope.org/pipermail/zope3-users/2007-June/006291.html

Use like_class attribute of require tag, Here are some examples:

<class class=".MyImage">
  <implements interface=".interfaces.IGalleryItemContained" />
  <require like_class="zope.app.file.interfaces.IImage />
</class>

<class class=".MySite">
  <require like_class="zope.app.folder.Folder" />
</class>

2   How can I determine (in code) if a principal has the right permissions?

Ref: http://mail.zope.org/pipermail/zope3-users/2006-August/004201.html

The question is: how do I know if the current principal has permission for a specific view? Something like:

def canEdit(self):
    ppal = self.request.principal
    return canView('edit', INewsItem, ppal)

Use zope.security.canAccess and/or zope.security.canWrite

To check for a specific permission on an object, you can do something like:

from zope.security.management import checkPermission
has_permission = checkPermission('zope.ModifyContent', self.context)

3   I've registered a PAU in the site-root; now I cannot log in as zope.Manager. What gives?

Start zopedebug then unregister the utility. This will then let you log in as a user defined in principals.zcml.

Example (execute the following with zopedebug):

import transaction
from zope.component import getSiteManager
from zope.app.security.interfaces import IAuthentication

lsm = getSiteManager(root)
lsm.unregisterUtility(lsm.getUtility(IAuthentication), IAuthentication)

transaction.commit()

When you exit zopedebug and start the server, you should be able to log in again using the user defined in principals.zcml. This should have the zope.Manager permission.

To avoid this happening, either assign a role to a user defined in the PAU or set up a folder beneath the root, make it a site and add and register the PAU there. Then you will still be able to log in to the root of the site and have full permissions.

4   How do I setup authentication (using a PAU)?

Via the ZMI:

• go to the site manager (in the root, or in your folder/site)
• add a Pluggable Authentication Utility (name as you want, prefix empty)
• enter it and activate "no challenge if auth" and "session credentials" in this order
• add a Principal Folder (name and prefix as you want)
• return back to the PAU, and activate your Principal Folder
• Now, register both the PAU and the Principal Folder
• Then you can add users in your Principal Folder (aka Principals)

Via the API:

site = getSite()
sm = site.getSiteManager()
pau = PluggableAuthentication()
sm['authentication'] = pau
sm.registerUtility(pau, IAuthentication)
users = PrincipalFolder()
sm['authentication']['Users'] = users
sm.registerUtility(users, IAuthenticatorPlugin, name="Users")
pau.authenticatorPlugins = (users.__name__, )
pau.credentialsPlugins = ( "No Challenge if Authenticated", "Session Credentials" )

5   How do I setup authentication (via ldap)?

Install ldapadapter and ldappas.

Via the ZMI:

• go to the site manager (in the root, or in your folder/site)
• add a ldapadapter and configure it for your ldapserver, test it
• Now, register it with some custom name (example, ldapadapter.interfaces.ILDAPAdapter? utility named 'myldap')
• add a Pluggable Authentication Utility (name as you want, prefix empty)
• enter it and activate "no challenge if auth" and "session credentials" in this order
• add a LDAP Authentication plugin
• return back to the PAU, and activate your ldap plugin
• Now, register both the PAU and the ldap plugin
• Then you can see your ldap-users in Grant action

6   How do I logout from Zope 3 Management Interface (ZMI) ?

Ref: http://mail.zope.org/pipermail/zope3-users/2005-October/001112.html

Ref: http://svn.zope.org/*checkout*/Zope3/branches/3.3/src/zope/app/security/browser/loginlogout.txt

Logout is available from 3.3 onwards, but it is disabled by default. To enable add this line to $instance/etc/overrides.zcml:

<adapter factory="zope.app.security.LogoutSupported" />