How is zope 3 view security handled in Plone

Question

When one registers a view in ZCML like:

<browser:page
   for="*"
   name="reporter"
   class=".reporter.report_form_frame"
   permission="cmf.SetOwnPassword"
   />

• In which point of traversing stack Zope machinery checks for this permission

• Which component keep track of views and their permissions

Answer 1

The browser:page handler sets the permission on the view class itself. There is no central component that keeps track.

In Zope 2, that is delegated to the AccessControl.security.protectClass() function, which is the equivalent of adding a ClassSecurityInfo object to your view class:

from AccessControl.SecurityInfo import ClassSecurityInfo

class report_form_name(BrowserView):
    security = ClassSecurityInfo()
    security.declareObjectProtected('cmf.SetOwnPassword')

or, if making the view public (zope.Public) or private (zope.Private), the security.declareObjectPublic() or security.declareObjectPrivate() calls are used instead.

The class security info is translated into a __roles__ and __ac_permissions__ attributes on the class that the publisher inspects when checking permissions. See the Security chapter of the Zope Secrets book for details on how those work.