I've read comments from others whereby they've reluctantly been obliged to give users a certain role in order for some products to work, due to a hasRole() call in the product.
But why do products call hasRole()? I would have thought that for most cases the proper thing to do was to test for the user having the necessary *permission*; that is, the product shouldn't test for the user having the 'Editor' role, but for having the 'Edit' permission (roles just being a means to simplify the allocation of permissions to users).
Or have I missed something?
You are correct - user.hasRole() is especially bad because it is an old legacy name from the distant past that is really an alias for user.allowed(). user.has_role() can be used to see if a user has a given role (by direct assignment, or in the context of an object), but this interface is really more about see what roles a user has than about checking security. Products should be using: user.has_permission(permission_name, object) to check whether a user has a given permission on an object. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com