Getting current object in an expression while in a dtml-in loop
Hi, In my search results page I would like to display only those results where the user has the permission to view those files. My question is: how do I refer to the current object in a <dtml-in> loop? I know that I could use <dtml-in Catalog skip_unauthorized> but it still displays all results, even those where the user has absolutely no right. Here is the example: <dtml-in Catalog> <dtml-if expr="_.SecurityGetUser().has_permission('View', OBJECT?????)"> ... </dtml-if> </dtml-in> Can anyone help? Thanks Hans
On Tuesday 11 March 2003 06:22, HP Knoll wrote:
Hi,
In my search results page I would like to display only those results where the user has the permission to view those files. My question is: how do I refer to the current object in a <dtml-in> loop? I know that I could use <dtml-in Catalog skip_unauthorized> but it still displays all results, even those where the user has absolutely no right.
Here is the example:
<dtml-in Catalog> <dtml-if expr="_.SecurityGetUser().has_permission('View', OBJECT?????)"> ... </dtml-if> </dtml-in>
Your code don't work because a catalog request just retrieve public catalog entries (called "brains"), not real objects. It should work with something like : <dtml-in "[record.getObject() for record in Catalog()]" skip_unauthorized> ... </dtml-in> Then, what you retrieve is a list of real objects, on which you may be able to apply the "skip_unauthorized" parameter ; you can also sort this list on any of your objects properties, and not only those indexed into the catalog. Not tested anyway, and I don't know if this kind of code is as efficient as it should be... Thierry
HP Knoll wrote at 2003-3-11 06:22 +0100:
In my search results page I would like to display only those results where the user has the permission to view those files. My question is: how do I refer to the current object in a <dtml-in> loop? I know that I could use <dtml-in Catalog skip_unauthorized> but it still displays all results, even those where the user has absolutely no right.
Here is the example:
<dtml-in Catalog> <dtml-if expr="_.SecurityGetUser().has_permission('View', OBJECT?????)"> ...
<dtml-in Catalog prefix=result> # now you can access the current object with "result_item" Note, however, that is is not easy to check "View" permission for some types of objects. In general, accessing an object, even, if only to check permission on it, requires the "object permission". Most object classes use "Access contents information" as "object permission", but some (e.g. DTML objects) use "View". You need to use "try...except" to check for availability of the "object permission". Someone else already told you that the results of a catalog search do not return the objects themselves but proxie objects. You may look at CMF. It solves your problem with a special index: "AllowedRolesAndUsers". With its help, catalog searches only return objects viewable by the current user. Dieter
participants (3)
-
Dieter Maurer -
HP Knoll -
Thierry FLORAC