[Zope] Re: roles check
David A. Riggs
spam_riggs at csee.wvu.edu
Fri May 7 09:07:04 EDT 2004
schandra at csee.wvu.edu wrote:
>
> I want to check for two roles in a page.I did like this
>
>
> <dtml-unless "_.SecurityGetUser().has_role('Faculty||staff')">
> < <dtml-call expr="RESPONSE.redirect('../login_form')">>
> </dtml-unless
>
> Is this correct?
>
This is wrong for several different reasons.
1. The obvious one, your first line is checking for a role
called "Faculty||staff", instead of checking for a role
called "Faculty" or a role called "staff".
2. The not-so-obvious one is in the intent of this code.
It looks like you're trying to manually do what Zope's
security does for you. Take away the "View" permission
for anyone not in these roles, and the CookieCrumbler
will take care of sending the user to the login_form.
This can be done on an entire directory so that you're
not in charge of making sure this check is done at
every restricted page. In other words, this block
of code is likely not necessary.
- David A. Riggs <riggs at csee dot wvu dot edu>
More information about the Zope
mailing list