为什么:
user.has_permission(permission, object)
和
user.checkPermission(permission, object)
返回不同的结果?
checkPermission似乎是正确的结果。
答案 0 :(得分:3)
因为他们不同的功能。
has_permission是BasicUser中AccessControl/users.py类的一种方法:
def has_permission(self, permission, object):
"""Check if the user has a permission on an object.
This method is just for inspecting permission settings. For access
control use getSecurityManager().checkPermission() instead.
"""
roles=rolesForPermissionOn(permission, object)
if isinstance(roles, str):
roles=[roles]
return self.allowed(object, roles)
虽然checkPermission是AccessControl/security.py中定义的函数:
def checkPermission(permission, object, interaction=None):
"""Return whether security policy allows permission on object.
Arguments:
permission -- A permission name
object -- The object being accessed according to the permission
interaction -- This zope.security concept has no equivalent in Zope 2,
and is ignored.
checkPermission is guaranteed to return True if permission is
CheckerPublic or None.
"""
if (permission in ('zope.Public', 'zope2.Public') or
permission is None or permission is CheckerPublic):
return True
if isinstance(permission, basestring):
permission = queryUtility(IPermission, unicode(permission))
if permission is None:
return False
if getSecurityManager().checkPermission(permission.title, object):
return True
return False
has_permission用于检查权限设置,而checkPermission用于访问控制。换句话说,用户可能不拥有对象的权限设置,但仍可通过其他安全策略机制访问。