def protectedURLHandler(event): # Managers may view anything they want. if event.request.AUTHENTICATED_USER.has_role('Manager'): return # Default to unprotected protected = False # Two possibilities: either we have an instancemethod, or a # product instance (Python Script or others) if isinstance(event.request.PUBLISHED, types.MethodType): # For methods we need the immediate parent obj = event.request.PARENTS[0] else: # For product instances we take the object itself. obj = event.request.PUBLISHED protected = is_protected(obj) # Private items which were attempted to publish directly # land in the log file and get "Unauthorized" if protected: logger.info('PROTECTED: ' + str(event.request.URL)) raise AccessControl.Unauthorized()