[Zope] Fairly dumb SecurityCheckPermission question

Dieter Maurer dieter@handshake.de
Fri, 31 Aug 2001 20:36:47 +0200 (CEST)


Neil Burnett writes:
 > I want to check in one DTML Method whether the current user has permission
 > to view another one. So I have tried the following, where editContact is the
 > target method.
 > 
 > <dtml-if expr="_.SecurityCheckPermission('View', editContact())">
This does not work, because you render (i.e. call)
"editContact". The result is a string and it is not
very senseful, to ask for 'View' permission on a string.

Unfortunately,

   <dtml-if expr="_.SecurityCheckPermission('View', editContact)">

will not work either.

This time, it is because "editContact" access is protected by
'View'. As soon as you reference 'editContact', it is checked
wether the current user as the 'View' permission and
an 'Unauthorized' exception raised if not.

I think this is a bug, but probably will not be able to
convince the relevant people.

Your options:

  1.  move the above check into an external method
      (you need to path the "id", as otherwise you will
      get the same problem).

  2.  <dtml-call "REQUEST.set('hasViewPermission',0)>
      <dtml-try>
         <dtml-if expr="_.SecurityCheckPermission('View', editContact)">
	   <dtml-call "REQUEST.set('hasViewPermission',1)"
	 </dtml-if>
      <dtml-except Unauthorized>
      </dtml-try>



Dieter