Fairly dumb SecurityCheckPermission question
Hi I am using the security system for the first time, so this question could be trivial. I want to check in one DTML Method whether the current user has permission to view another one. So I have tried the following, where editContact is the target method. <dtml-if expr="_.SecurityCheckPermission('View', editContact())"> <dtml-var expr="_.SecurityGetUser().getUserName()"> has permission <dtml-else> <dtml-var expr="_.SecurityGetUser().getUserName()"> is unauthorised </dtml-if> It always fails whether the current user has permission to view the target method or not. Worse, if the target method contains any dtml, the above code apparently tries to evaluate it, but can't, and returns an error: Error Type: KeyError Error Value: standard_html_header Note that if I change the target method to be this, as in: <dtml-if expr="_.SecurityCheckPermission('View', this())"> it works how I expect (but not, of course, how I want) Any helpful hints gratefully received. Regards Neil
Neil Burnett writes:
I want to check in one DTML Method whether the current user has permission to view another one. So I have tried the following, where editContact is the target method.
<dtml-if expr="_.SecurityCheckPermission('View', editContact())"> This does not work, because you render (i.e. call) "editContact". The result is a string and it is not very senseful, to ask for 'View' permission on a string.
Unfortunately, <dtml-if expr="_.SecurityCheckPermission('View', editContact)"> will not work either. This time, it is because "editContact" access is protected by 'View'. As soon as you reference 'editContact', it is checked wether the current user as the 'View' permission and an 'Unauthorized' exception raised if not. I think this is a bug, but probably will not be able to convince the relevant people. Your options: 1. move the above check into an external method (you need to path the "id", as otherwise you will get the same problem). 2. <dtml-call "REQUEST.set('hasViewPermission',0)> <dtml-try> <dtml-if expr="_.SecurityCheckPermission('View', editContact)"> <dtml-call "REQUEST.set('hasViewPermission',1)" </dtml-if> <dtml-except Unauthorized> </dtml-try> Dieter
participants (2)
-
Dieter Maurer -
Neil Burnett