[Zope] Re: roles check

David A. Riggs spam_riggs at csee.wvu.edu
Fri May 7 09:07:04 EDT 2004

schandra at csee.wvu.edu wrote:
> I want to check for two roles in a page.I did like this
> <dtml-unless "_.SecurityGetUser().has_role('Faculty||staff')">
> < <dtml-call expr="RESPONSE.redirect('../login_form')">>
> </dtml-unless
> Is this correct?

This is wrong for several different reasons.

1. The obvious one, your first line is checking for a role
    called "Faculty||staff", instead of checking for a role
    called "Faculty" or a role called "staff".

2. The not-so-obvious one is in the intent of this code.
    It looks like you're trying to manually do what Zope's
    security does for you. Take away the "View" permission
    for anyone not in these roles, and the CookieCrumbler
    will take care of sending the user to the login_form.
    This can be done on an entire directory so that you're
    not in charge of making sure this check is done at
    every restricted page. In other words, this block
    of code is likely not necessary.

- David A. Riggs <riggs at csee dot wvu dot edu>

More information about the Zope mailing list