RE: [Zope] RE: What method do I use to check access?
-----Original Message----- From: Rob Page [mailto:rob.page@digicool.com] Sent: Wednesday, May 26, 1999 21:26 To: 'Jay, Dylan' Cc: 'zope@zope.org' Subject: RE: [Zope] RE: What method do I use to check access?
What I want is <!--#if "AUTHENTICATED_USER.hasPermission(SomeObject, 'View')"--> <a href="<!--#var "SomeObject.absolute_url()"-->">Goto SomeObject</a> <!--#/if-->
How about:
<!--#if expr="AUTHENTICATED_USER.has_role('requester')"--> <LI> <A HREF="Requester/index_html">Requester menu</A> <!--#/if-->
Reading between the lines of your original post it sounds like this approach might work but require you to add more role definitions...
I'm not sure what your proposing other than using having different roles for each restricted area. And that makes roles a restrictive device. I have several areas and several groups of users. My roles represent a type of user not a type of access to a particular area. A role may enable access to many areas. This is how it supposed to work with roles as I understand it. The problem I'm trying to addess, which for some reason I can't seem to get across to anyone, is as follows. If say I development area to only users with role developer this is fine. I can then in my main page add a link to this development area that is viewable to only developers like so <!--#if expr="AUTHENTICATED_USER.has_role('developer')"--> <LI> <A HREF="development_area/index_html">Development Area</A> <!--#/if--> This is fine and what I currently do. My argument is that if later I want say users with supervisor role to access the development area then I have to change the permissions on the development are and find all the has_role conditions in my code and change them. This is not huge point I realize but it seems to me a logical function that I should be able to perform. Show something if the user has permission to see it. It also means I can conditionally include DTML only if that user has permission to view that DTML. ie <!--#if "restrictedDTML.hasPermission(AUTHENTICATED_USER, 'View')"--> <!--#var restrictedDTML--> <!--#/if--> If this not something that others see as important or is too hard then fine. I spent a couple of hours on it and couldn't find a nice way of doing it. I thought someone else could do it easier. A function called oldvalidate() looked promising but the name didn't seem to indicate its validity and with no documentation I couldn't work out the arguments. All I want is the security validation mechanism exposed more so I can use in DTML. Can this be done?
On Wed, 26 May 1999, Jay, Dylan wrote:
-----Original Message----- From: Rob Page [mailto:rob.page@digicool.com] Sent: Wednesday, May 26, 1999 21:26 To: 'Jay, Dylan' Cc: 'zope@zope.org' Subject: RE: [Zope] RE: What method do I use to check access?
What I want is <!--#if "AUTHENTICATED_USER.hasPermission(SomeObject, 'View')"--> <a href="<!--#var "SomeObject.absolute_url()"-->">Goto SomeObject</a> <!--#/if-->
How about:
<!--#if expr="AUTHENTICATED_USER.has_role('requester')"--> <LI> <A HREF="Requester/index_html">Requester menu</A> <!--#/if-->
Reading between the lines of your original post it sounds like this approach might work but require you to add more role definitions...
I'm not sure what your proposing other than using having different roles for each restricted area. And that makes roles a restrictive device. I have several areas and several groups of users. My roles represent a type of user not a type of access to a particular area. A role may enable access to many areas. This is how it supposed to work with roles as I understand it. The problem I'm trying to addess, which for some reason I can't seem to get across to anyone, is as follows. If say I development area to only users with role developer this is fine. I can then in my main page add a link to this development area that is viewable to only developers like so
<!--#if expr="AUTHENTICATED_USER.has_role('developer')"--> <LI> <A HREF="development_area/index_html">Development Area</A> <!--#/if-->
This is fine and what I currently do. My argument is that if later I want say users with supervisor role to access the development area then I have to change the permissions on the development are and find all the has_role conditions in my code and change them. This is not huge point I realize but it seems to me a logical function that I should be able to perform. Show something if the user has permission to see it. It also means I can conditionally include DTML only if that user has permission to view that DTML. ie <!--#if "restrictedDTML.hasPermission(AUTHENTICATED_USER, 'View')"--> <!--#var restrictedDTML--> <!--#/if-->
If this not something that others see as important or is too hard then fine. I spent a couple of hours on it and couldn't find a nice way of doing it. I thought someone else could do it easier. A function called oldvalidate() looked promising but the name didn't seem to indicate its validity and with no documentation I couldn't work out the arguments. All I want is the security validation mechanism exposed more so I can use in DTML. Can this be done?
I would just like to say that I understood from the first what you were trying to accomplish Jay, and I fully agree with you. While roles are an appropriate mechanism for handling the complexity of permissions, it is inappropriate for DTML to check roles. In fact, I would not be in the least averse to a reversal of the situation, wherein DTML is permitted to check permissions, and NOT check roles. After all, the design intention of a role seems to be to provide a way of giving a user a set of permissions. A role encapsulates a grouping of permissions, and ANY role B possessing the same permissions as role A should have access to all of the system that A can access. If DTML could ONLY check permissions, then this would automatically be the case. The current system seems to me to be counter-intuitive both for the DTML and External Method coder, and for the non-coding managers of the system. It is counter-intuitive to see that I can give two people identical permissions to a directory, and yet have one able to access, and the other not. I don't suppose you tried the mechanism I suggested earlier? I was curious to see whether it would work, but haven't got an appropriate developmental setting in which to test it.
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(For developer-specific issues, use the companion list, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
-- Howard Clinton Shaw III - Grum St. Thomas High School #include "disclaimer.h"
participants (2)
-
Howard Clinton Shaw III -
Jay, Dylan