[Zope] Detecting Roles not working

Tres Seaver tseaver@digicool.com
Thu, 05 Oct 2000 12:52:05 -0400


Kapil Thangavelu <kthangavelu@earthlink.net> wrote

> Jonathan Cheyne wrote:
> >
> > Hi all
> >
> > I have built the basis of a site with full, form-based webediting of
> > objects. Coming round to cleanup time and I wanted to remove certain
> > visible functions from the default object views unless you have already
> > logged in (with various possible roles)
> >
> > in the index_html of my zclass i have
> >
> > <dtml-if "AUTHENTICATED_USER.has_role('Staff')">
> > <a href="<dtml-var absolute_url>/<dtml-var type>edit">edit this</a><hr>
> > </dtml-if>
> > so if the user is anonymous or logged in without the Staff role assigne
> > they should not see the "edit this" link ...
> >
> > Doesn't work! It basically never returns a 'true' response thus never
> > displays the edit this link even when logged in.
> 
> try (untested)
> 
> <dtml-if "AUTHENTICATED_USER.has_role('Staff')==1"
> 
> or (tested)
> 
> <dtml-if "'Staff' in AUTHENTICATED_USER.getRoles()">

Application code should focus on *permissions*, not on *roles*;
the mapping between roles and permissions is essentially arbitrary,
and testing for roles sets the application up for strange and mysterious
failures.

The preferred test would be something like::

 <dtml-if "SecurityCheckPermission( 'Edit Foo', this() )">
  <a href="&dtml-absolute_url;/&dtml-type;edit">edit this</a><hr>
 </dtml-if>

Note as well that, if the user has not yet authenticated, suppressing
the display of a link which would trigger authentication (if the edit
method is guarded, as it should be, by the same "Edit Foo" permission)
can leave that user in a Catch-22:  they aren't authenticated, and they
can't trigger authentication!

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@digicool.com
Digital Creations     "Zope Dealers"       http://www.zope.org