[Zope] RE: What method do I use to check access?

Jay, Dylan djay@lucent.com
Thu, 27 May 1999 13:08:52 +1000 

> -----Original Message-----
> From: Rob Page [mailto:rob.page@digicool.com]
> Sent: Thursday, May 27, 1999 12:52
> To: Jay, Dylan
> Cc: zope@zope.org
> Subject: RE: [Zope] RE: What method do I use to check access?
> 
> 
> > I'm not sure what your proposing other than using having 
> > different roles for
> > each restricted area. And that makes roles a restrictive 
> > device. I have
> 
> Yes, this was what I was proposing.
> 
> > several areas and several groups of users. My roles represent 
> > a type of user
> > not a type of access to a particular area. A role may enable 
> > access to many
> > areas. This is how it supposed to work with roles as I 
> understand it.
> > The problem I'm trying to addess, which for some reason I 
> > can't seem to get
> > across to anyone, is as follows. If say I development area to 
> > only users
> > with role developer this is fine. I can then in my main page 
> > add a link to
> > this development area that is viewable to only developers like so
> > 
> > <!--#if expr="AUTHENTICATED_USER.has_role('developer')"-->
> > <LI> <A HREF="development_area/index_html">Development Area</A>
> > <!--#/if-->
> > 
> > This is fine and what I currently do. My argument is that if 
> > later I want
> > say users with supervisor role to access the development area 
> > then I have to
> > change the permissions on the development are and find all 
> > the has_role
> > conditions in my code and change them. This is not huge point 
> > I realize but
> > it seems to me a logical function that I should be able to 
> > perform. Show
> > something if the user has permission to see it. It also means I can
> > conditionally include DTML only if that user has permission 
> > to view that
> > DTML.
> > ie
> 
> What if you could define assign a role to a role?  In your 
> example above
> you have the developer role and the supervisor role.  You 
> might then be
> able to assign the developer role to the supervisor role.  
> Now, this IS
> NOT the way it works today.  Would this approach meet your 
> requirement?

That would be useful in otherways. What your talking about would be like
inhertitance of roles I think, which would be very useful. It would make it
somewhat easier to do what I propose since then you could make up a role for
each restricted area and then just include the roles that are allowed in.
But it still doesn't help in other areas. For instance I have a sitemap that
is generated dynamically from the zope ODB. I don't want to include links in
there that the user can't see.
 
> With this approach the notion of role becomes much more like 
> a notion of
> groups.
> 
> > <!--#if "restrictedDTML.hasPermission(AUTHENTICATED_USER, 
> 'View')"-->
> >  <!--#var restrictedDTML-->
> > <!--#/if-->
> 
> At first glance exposing this stuff at this level would be pretty
> difficult since different objects can have different permissions
> associated with them.

Can't a permission be looked up based its string label?