[Zope] Should the use of hasRole() be discouraged?
Brian Lloyd
brian@digicool.com
Wed, 14 Mar 2001 12:02:47 -0500
> I've read comments from others whereby they've reluctantly been obliged
> to give users a certain role in order for some products to work, due to
> a hasRole() call in the product.
>
> But why do products call hasRole()? I would have thought that for most
> cases the proper thing to do was to test for the user having the
> necessary *permission*; that is, the product shouldn't test for the
> user having the 'Editor' role, but for having the 'Edit' permission
> (roles just being a means to simplify the allocation of permissions to
> users).
>
> Or have I missed something?
You are correct - user.hasRole() is especially bad because
it is an old legacy name from the distant past that is really
an alias for user.allowed(). user.has_role() can be used
to see if a user has a given role (by direct assignment, or
in the context of an object), but this interface is really
more about see what roles a user has than about checking
security.
Products should be using:
user.has_permission(permission_name, object)
to check whether a user has a given permission on an object.
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com