[Erp5-dev] related value list and permissions to objects

[Jérôme Perrin]

Le Vendredi 17 Février 2006 15:07, Bartłomiej Górny a écrit :
> Bartłomiej Górny wrote:
> > Hi
> >
> > Question: how to get a list of related objects, but only those to which
> > the current user has view permissions?
> >
> > If I use portal_catalog, then it returns only objects to which I have
> > 'view' permission, which is logical. But from what I see a function like
> > 'getXXXRelatedValueList' returns a complete list, and then kicks me out
> > because I'm not allowed to view some of the objects returned. What's the
> > solution, if any?
>
> What I came up so far is:
>
> from AccessControl import getSecurityManager
>
> sm=getSecurityManager()
>
> return [ob for ob in context.getXXXRelatedValueList() if
> sm.checkPermission('View',ob)]
>
> Plus, I have to have an 'Access content information' permission to an
> object to be able to list it or check anything on it. Which, all in all,
> makes some sense. Is this the right way to do it?
>
> And, still, is there a shorthand way to get only 'allowed' object
> without doing such 'manual' checks?

Hi

Actually, this is not a bug, but rather a 'feature', because we want this 
method to return all related objects without security checks, this is for 
example usefull if you want to know how many objects are related.
Also, this is consistent with the category accessor getXXXValue which also 
returns objects you may not be able to access later.

Depending on your what you want to do, solution can be either to give the 
script a proxy role (if you only need to access objects from one script), to 
filter the list by hand (like you did) or to create a new Accessor using 
ERP5Type framework if you think it's necessary.

-- 
Jérome