[Zope] RE: What method do I use to check access?

Rob Page rob.page@digicool.com
Wed, 26 May 1999 22:52:08 -0400 

> I'm not sure what your proposing other than using having 
> different roles for
> each restricted area. And that makes roles a restrictive 
> device. I have

Yes, this was what I was proposing.

> several areas and several groups of users. My roles represent 
> a type of user
> not a type of access to a particular area. A role may enable 
> access to many
> areas. This is how it supposed to work with roles as I understand it.
> The problem I'm trying to addess, which for some reason I 
> can't seem to get
> across to anyone, is as follows. If say I development area to 
> only users
> with role developer this is fine. I can then in my main page 
> add a link to
> this development area that is viewable to only developers like so
> 
> <!--#if expr="AUTHENTICATED_USER.has_role('developer')"-->
> <LI> <A HREF="development_area/index_html">Development Area</A>
> <!--#/if-->
> 
> This is fine and what I currently do. My argument is that if 
> later I want
> say users with supervisor role to access the development area 
> then I have to
> change the permissions on the development are and find all 
> the has_role
> conditions in my code and change them. This is not huge point 
> I realize but
> it seems to me a logical function that I should be able to 
> perform. Show
> something if the user has permission to see it. It also means I can
> conditionally include DTML only if that user has permission 
> to view that
> DTML.
> ie

What if you could define assign a role to a role?  In your example above
you have the developer role and the supervisor role.  You might then be
able to assign the developer role to the supervisor role.  Now, this IS
NOT the way it works today.  Would this approach meet your requirement?

With this approach the notion of role becomes much more like a notion of
groups.

> <!--#if "restrictedDTML.hasPermission(AUTHENTICATED_USER, 'View')"-->
>  <!--#var restrictedDTML-->
> <!--#/if-->

At first glance exposing this stuff at this level would be pretty
difficult since different objects can have different permissions
associated with them.

--Rob