[Zope] RE: What method do I use to check access?

Howard Clinton Shaw III shawh@sths.org
Thu, 27 May 1999 06:52:01 -0500


On Wed, 26 May 1999, Rob Page wrote:
> > I'm not sure what your proposing other than using having 
> > different roles for
> > each restricted area. And that makes roles a restrictive 
> > device. I have
> 
> Yes, this was what I was proposing.
> 
> > several areas and several groups of users. My roles represent 
> > a type of user
> > not a type of access to a particular area. A role may enable 
> > access to many
> > areas. This is how it supposed to work with roles as I understand it.
> > The problem I'm trying to addess, which for some reason I 
> > can't seem to get
> > across to anyone, is as follows. If say I development area to 
> > only users
> > with role developer this is fine. I can then in my main page 
> > add a link to
> > this development area that is viewable to only developers like so
> > 
> > <!--#if expr="AUTHENTICATED_USER.has_role('developer')"-->
> > <LI> <A HREF="development_area/index_html">Development Area</A>
> > <!--#/if-->
> > 
> > This is fine and what I currently do. My argument is that if 
> > later I want
> > say users with supervisor role to access the development area 
> > then I have to
> > change the permissions on the development are and find all 
> > the has_role
> > conditions in my code and change them. This is not huge point 
> > I realize but
> > it seems to me a logical function that I should be able to 
> > perform. Show
> > something if the user has permission to see it. It also means I can
> > conditionally include DTML only if that user has permission 
> > to view that
> > DTML.
> > ie
> 
> What if you could define assign a role to a role?  In your example above
> you have the developer role and the supervisor role.  You might then be
> able to assign the developer role to the supervisor role.  Now, this IS
> NOT the way it works today.  Would this approach meet your requirement?
> 
> With this approach the notion of role becomes much more like a notion of
> groups.
> 
> > <!--#if "restrictedDTML.hasPermission(AUTHENTICATED_USER, 'View')"-->
> >  <!--#var restrictedDTML-->
> > <!--#/if-->
> 
> At first glance exposing this stuff at this level would be pretty
> difficult since different objects can have different permissions
> associated with them.
> 

Difficult perhaps, but a more appropriate mechanism, bringing External Methods and 
DTML more in line with Products, etc. Just have it return a negative
response if the permission doesn't exist; or raise an exception.

> --Rob
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://www.zope.org/mailman/listinfo/zope
> 
> (For developer-specific issues, use the companion list,
> zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
--
Howard Clinton Shaw III - Grum
St. Thomas High School
#include "disclaimer.h"