[Zope] RE: What method do I use to check access?

Jay, Dylan djay@lucent.com
Thu, 27 May 1999 10:02:18 +1000 

> -----Original Message-----
> From: Rob Page [mailto:rob.page@digicool.com]
> Sent: Wednesday, May 26, 1999 21:26
> To: 'Jay, Dylan'
> Cc: 'zope@zope.org'
> Subject: RE: [Zope] RE: What method do I use to check access?
> 
> 
> >  What I want is
> >  <!--#if "AUTHENTICATED_USER.hasPermission(SomeObject, 'View')"-->
> >   <a href="<!--#var "SomeObject.absolute_url()"-->">Goto 
> >  SomeObject</a>
> >  <!--#/if-->
> 
> How about:
> 
> <!--#if expr="AUTHENTICATED_USER.has_role('requester')"-->
> <LI> <A HREF="Requester/index_html">Requester menu</A>
> <!--#/if-->
> 
> Reading between the lines of your original post it sounds like this
> approach might work but require you to add more role definitions...

I'm not sure what your proposing other than using having different roles for
each restricted area. And that makes roles a restrictive device. I have
several areas and several groups of users. My roles represent a type of user
not a type of access to a particular area. A role may enable access to many
areas. This is how it supposed to work with roles as I understand it.
The problem I'm trying to addess, which for some reason I can't seem to get
across to anyone, is as follows. If say I development area to only users
with role developer this is fine. I can then in my main page add a link to
this development area that is viewable to only developers like so

<!--#if expr="AUTHENTICATED_USER.has_role('developer')"-->
<LI> <A HREF="development_area/index_html">Development Area</A>
<!--#/if-->

This is fine and what I currently do. My argument is that if later I want
say users with supervisor role to access the development area then I have to
change the permissions on the development are and find all the has_role
conditions in my code and change them. This is not huge point I realize but
it seems to me a logical function that I should be able to perform. Show
something if the user has permission to see it. It also means I can
conditionally include DTML only if that user has permission to view that
DTML.
ie
<!--#if "restrictedDTML.hasPermission(AUTHENTICATED_USER, 'View')"-->
 <!--#var restrictedDTML-->
<!--#/if-->

If this not something that others see as important or is too hard then fine.
I spent a couple of hours on it and couldn't find a nice way of doing it. I
thought someone else could do it easier. A function called oldvalidate()
looked promising but the name didn't seem to indicate its validity and with
no documentation I couldn't work out the arguments. All I want is the
security validation mechanism exposed more so I can use in DTML. Can this be
done?