[Zope] RE: What method do I use to check access?

Howard Clinton Shaw III shawh@sths.org
Thu, 27 May 1999 06:38:01 -0500 

On Wed, 26 May 1999, Jay, Dylan wrote:
> > -----Original Message-----
> > From: Rob Page [mailto:rob.page@digicool.com]
> > Sent: Wednesday, May 26, 1999 21:26
> > To: 'Jay, Dylan'
> > Cc: 'zope@zope.org'
> > Subject: RE: [Zope] RE: What method do I use to check access?
> > 
> > 
> > >  What I want is
> > >  <!--#if "AUTHENTICATED_USER.hasPermission(SomeObject, 'View')"-->
> > >   <a href="<!--#var "SomeObject.absolute_url()"-->">Goto 
> > >  SomeObject</a>
> > >  <!--#/if-->
> > 
> > How about:
> > 
> > <!--#if expr="AUTHENTICATED_USER.has_role('requester')"-->
> > <LI> <A HREF="Requester/index_html">Requester menu</A>
> > <!--#/if-->
> > 
> > Reading between the lines of your original post it sounds like this
> > approach might work but require you to add more role definitions...
> 
> I'm not sure what your proposing other than using having different roles for
> each restricted area. And that makes roles a restrictive device. I have
> several areas and several groups of users. My roles represent a type of user
> not a type of access to a particular area. A role may enable access to many
> areas. This is how it supposed to work with roles as I understand it.
> The problem I'm trying to addess, which for some reason I can't seem to get
> across to anyone, is as follows. If say I development area to only users
> with role developer this is fine. I can then in my main page add a link to
> this development area that is viewable to only developers like so
> 
> <!--#if expr="AUTHENTICATED_USER.has_role('developer')"-->
> <LI> <A HREF="development_area/index_html">Development Area</A>
> <!--#/if-->
> 
> This is fine and what I currently do. My argument is that if later I want
> say users with supervisor role to access the development area then I have to
> change the permissions on the development are and find all the has_role
> conditions in my code and change them. This is not huge point I realize but
> it seems to me a logical function that I should be able to perform. Show
> something if the user has permission to see it. It also means I can
> conditionally include DTML only if that user has permission to view that
> DTML.
> ie
> <!--#if "restrictedDTML.hasPermission(AUTHENTICATED_USER, 'View')"-->
>  <!--#var restrictedDTML-->
> <!--#/if-->
> 
> If this not something that others see as important or is too hard then fine.
> I spent a couple of hours on it and couldn't find a nice way of doing it. I
> thought someone else could do it easier. A function called oldvalidate()
> looked promising but the name didn't seem to indicate its validity and with
> no documentation I couldn't work out the arguments. All I want is the
> security validation mechanism exposed more so I can use in DTML. Can this be
> done?

I would just like to say that I understood from the first what you were trying to accomplish
Jay, and I fully agree with you. While roles are an appropriate mechanism for handling the
complexity of permissions, it is inappropriate for DTML to check roles. In fact, I would
not be in the least averse to a reversal of the situation, wherein DTML is permitted to check
permissions, and NOT check roles. After all, the design intention of a role seems to be to
provide a way of giving a user a set of permissions. A role encapsulates a grouping of
permissions, and ANY role B possessing the same permissions as role A should have access
to all of the system that A can access. If DTML could ONLY check permissions, then this
would automatically be the case. The current system seems to me to be counter-intuitive both
for the DTML and External Method coder, and for the non-coding managers of the system.

It is counter-intuitive to see that I can give two people identical permissions to a directory, and
yet have one able to access, and the other not. 

I don't suppose you tried the mechanism I suggested earlier? I was curious to see whether it would
work, but haven't got an appropriate developmental setting in which to test it.

> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://www.zope.org/mailman/listinfo/zope
> 
> (For developer-specific issues, use the companion list,
> zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
--
Howard Clinton Shaw III - Grum
St. Thomas High School
#include "disclaimer.h"