Re: [Zope] has_permission for arbitrary user
Mark N. Gibson writes:
<dtml-if expr="acl_users.getUser('someuser').has_permission('Change DTML Document',this())"> Yes <dtml-else> No </dtml-if>
Unfortunately, has_permissions seems to be implented to call has_permission on the currently logged in user; i.e. AUTHENTICATED_USER. I doubt this very much!
But "getUser" is probably protected. You may consider using a proxie role...
Here's the code for has_permission from the BasicUser Class def has_permission(self, permission, object): """Check to see if a user has a given permission on an object.""" return getSecurityManager().checkPermission(permission, object) Draw your own conclusions. I wrote my own to deal with the problem: def hasPermissions( user, obj, permissions ): """ check to see if user has permissions for object """ if type(permissions) == type(''): roles = [roles] #get roles for user, include local roles on obj userRoles=user.getRoles() + obj.get_local_roles_for_userid(user.getUserName()) for perm in permissions: objRoles=obj.rolesOfPermission(perm) for oRole in objRoles: if oRole['name'] in userRoles: if oRole['selected']: return 1 return 0
Dieter
Mark N. Gibson writes:
DM: ... I doubt that "User.has_permission" uses the authenticated user and not its "*self" .... Here's the code for has_permission from the BasicUser Class
def has_permission(self, permission, object): """Check to see if a user has a given permission on an object.""" return getSecurityManager().checkPermission(permission, object)
Draw your own conclusions. You convinced me.
A severe bug in my view -- very unintuitive, probably not documented... Something for the collector... Dieter
participants (3)
-
Chris Withers -
Dieter Maurer -
Mark N. Gibson