3

In <browser:page /> on Plone, I have a permission attribute. I can add a custom permission in there and have better security when the browser view is rendered.

  <browser:page
      for="*"
      name="my_view"
      class=".myview.MyView"
      allowed_interface=".myview.IMyView"
      permission="my.permission"
      />

Just adding the permission attribute it works: trying to do @@my_view, it asks for login.

Now, let's go to the portlets: portlets have a view_permission, that I thought it would do the same, or at least just wouldn't render the portlet if the user didn't have the permission - but none of these situations happen. The portlet is rendered, ignoring the view_permission, thus I still need to use the available portlet property to accomplish what I want (It seems I'm not the only one doing this approach).

So, what view_permission is for? I can't find the docs for it. It seems I would be able to use it like permission like browser views, but it seems I can't...

Lennart Regebro
  • 167,292
  • 41
  • 224
  • 251
Somebody still uses you MS-DOS
  • 13,029
  • 20
  • 64
  • 103
  • 2
    I'm not sure in which context the view_permission is checked: on the context that the user is now viewing or on the context where the portlet is defined. I'd guess the first. Maybe that explains what you are seeing? Just a hunch. – maurits Sep 01 '11 at 14:48
  • maurits, I was thinking exactly about that, but if it was the first, I would be seeing the portlet, not the other way round. I think `grep` is going to be my answer soon... :) – Somebody still uses you MS-DOS Sep 01 '11 at 18:52

1 Answers1

4

the purpose of view_permission is to restrict the portlet to users with a specific permission...as it says here:

http://svn.plone.org/svn/plone/plone.app.portlets/trunk/plone/app/portlets/metadirectives.py

here you can find an example:

http://svn.plone.org/svn/plone/plone.portlet.collection/trunk/plone/portlet/collection/configure.zcml

edit: unfortunately I have to amend my answer...the purpose of view_permission should be to restrict the portlet to users with a specific permission. But it's not yet honored, as you can see here:

(Thanks to the comment of Ulrich Schwarz that pushed me to double check.)

Giacomo Spettoli
  • 4,476
  • 1
  • 16
  • 24
  • Is that permission actually obeyed now? Last time I checked (4.0.4 or so), you could trace the flow for view_permission up to a comment that said more-or-less "no, we don't". – Ulrich Schwarz Sep 09 '11 at 11:28