Hi, I have a client that's using PFG to accept competition entries and is finding that people are entering more than once. They would like me to ensure that the mobile number is unique. This is easy enough when one are logged in as admin, you just grab the saved data on the form and look for an entry with the new number. If one are not logged in (and the entrants are not) then I need to get to a filesystem method that can perform the validation as a manager. I could use a ExternalMethod but was wondering if there is another way?
First thing that comes to my mind is the
adapt_roles context manager:
if not plone.api.user.has_permission( permissions.AddPortalContent, obj=self.context ): with plone.api.env.adopt_roles(["Anonymous", "Contributor", "Editor"]): plone.api.content.create(**contribution_data) else: plone.api.content.create(**contribution_data)
With the above snippet anonymous users are able to add new content.
So you could adapt the roles required for getting the existing phone numbers and then perform the check in a safe context block.
In modern Zope/Plone versions, one would do it with a (so called) view. It is not security restricted and can do anything.
You can use
AccessControl.SecurityManagement.newSecurityManager (and its friend
getSecurityManager) to switch a user temporarily.
You can use
dm.zipepatches.security.proxy to perform a piece of code with specific roles.
The PFG custom script adapter allows you to specify a proxy role under which the script will be executed. This should allow it to operate with rights adequate to read saved form input data. So, it can all be done TTW. Of course, be very careful with scripts that execute under proxy roles.
Thanks for all your replies.