Kapil Thangavelu <kthangavelu@earthlink.net> wrote

Jonathan Cheyne wrote:

...

Hi all

I have built the basis of a site with full, form-based webediting of objects. Coming round to cleanup time and I wanted to remove certain visible functions from the default object views unless you have already logged in (with various possible roles)

in the index_html of my zclass i have

<dtml-if "AUTHENTICATED_USER.has_role('Staff')"> <a href="<dtml-var absolute_url>/<dtml-var type>edit">edit this</a><hr> </dtml-if> so if the user is anonymous or logged in without the Staff role assigne they should not see the "edit this" link ...

Doesn't work! It basically never returns a 'true' response thus never displays the edit this link even when logged in.

try (untested)

<dtml-if "AUTHENTICATED_USER.has_role('Staff')==1"

or (tested)

<dtml-if "'Staff' in AUTHENTICATED_USER.getRoles()">

Application code should focus on *permissions*, not on *roles*; the mapping between roles and permissions is essentially arbitrary, and testing for roles sets the application up for strange and mysterious failures. The preferred test would be something like:: <dtml-if "SecurityCheckPermission( 'Edit Foo', this() )"> <a href="&dtml-absolute_url;/&dtml-type;edit">edit this</a><hr> </dtml-if> Note as well that, if the user has not yet authenticated, suppressing the display of a link which would trigger authentication (if the edit method is guarded, as it should be, by the same "Edit Foo" permission) can leave that user in a Catch-22: they aren't authenticated, and they can't trigger authentication! Tres. -- =============================================================== Tres Seaver tseaver@digicool.com Digital Creations "Zope Dealers" http://www.zope.org