[Zope] Should the use of hasRole() be discouraged?

Brian Lloyd brian@digicool.com
Wed, 14 Mar 2001 12:02:47 -0500


> I've read comments from others whereby they've reluctantly been obliged
> to give users a certain role in order for some products to work, due to
> a hasRole() call in the product.
> 
> But why do products call hasRole()? I would have thought that for most
> cases the proper thing to do was to test for the user having the
> necessary *permission*; that is, the product shouldn't test for the
> user having the 'Editor' role, but for having the 'Edit' permission
> (roles just being a means to simplify the allocation of permissions to
> users).
> 
> Or have I missed something?

You are correct - user.hasRole() is especially bad because 
it is an old legacy name from the distant past that is really 
an alias for user.allowed(). user.has_role() can be used 
to see if a user has a given role (by direct assignment, or 
in the context of an object), but this interface is really 
more about see what roles a user has than about checking 
security.

Products should be using:

user.has_permission(permission_name, object)

to check whether a user has a given permission on an object.


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com