I'm not sure what your proposing other than using having different roles for each restricted area. And that makes roles a restrictive device. I have
Yes, this was what I was proposing.
several areas and several groups of users. My roles represent a type of user not a type of access to a particular area. A role may enable access to many areas. This is how it supposed to work with roles as I understand it. The problem I'm trying to addess, which for some reason I can't seem to get across to anyone, is as follows. If say I development area to only users with role developer this is fine. I can then in my main page add a link to this development area that is viewable to only developers like so
<!--#if expr="AUTHENTICATED_USER.has_role('developer')"--> <LI> <A HREF="development_area/index_html">Development Area</A> <!--#/if-->
This is fine and what I currently do. My argument is that if later I want say users with supervisor role to access the development area then I have to change the permissions on the development are and find all the has_role conditions in my code and change them. This is not huge point I realize but it seems to me a logical function that I should be able to perform. Show something if the user has permission to see it. It also means I can conditionally include DTML only if that user has permission to view that DTML. ie
What if you could define assign a role to a role? In your example above you have the developer role and the supervisor role. You might then be able to assign the developer role to the supervisor role. Now, this IS NOT the way it works today. Would this approach meet your requirement? With this approach the notion of role becomes much more like a notion of groups.
<!--#if "restrictedDTML.hasPermission(AUTHENTICATED_USER, 'View')"--> <!--#var restrictedDTML--> <!--#/if-->
At first glance exposing this stuff at this level would be pretty difficult since different objects can have different permissions associated with them. --Rob