Kapil Thangavelu <[EMAIL PROTECTED]> wrote

> Jonathan Cheyne wrote:
> >
> > Hi all
> >
> > I have built the basis of a site with full, form-based webediting of
> > objects. Coming round to cleanup time and I wanted to remove certain
> > visible functions from the default object views unless you have already
> > logged in (with various possible roles)
> >
> > in the index_html of my zclass i have
> >
> > <dtml-if "AUTHENTICATED_USER.has_role('Staff')">
> > <a href="<dtml-var absolute_url>/<dtml-var type>edit">edit this</a><hr>
> > </dtml-if>
> > so if the user is anonymous or logged in without the Staff role assigne
> > they should not see the "edit this" link ...
> >
> > Doesn't work! It basically never returns a 'true' response thus never
> > displays the edit this link even when logged in.
> try (untested)
> <dtml-if "AUTHENTICATED_USER.has_role('Staff')==1"
> or (tested)
> <dtml-if "'Staff' in AUTHENTICATED_USER.getRoles()">

Application code should focus on *permissions*, not on *roles*;
the mapping between roles and permissions is essentially arbitrary,
and testing for roles sets the application up for strange and mysterious

The preferred test would be something like::

 <dtml-if "SecurityCheckPermission( 'Edit Foo', this() )">
  <a href="&dtml-absolute_url;/&dtml-type;edit">edit this</a><hr>

Note as well that, if the user has not yet authenticated, suppressing
the display of a link which would trigger authentication (if the edit
method is guarded, as it should be, by the same "Edit Foo" permission)
can leave that user in a Catch-22:  they aren't authenticated, and they
can't trigger authentication!

Tres Seaver                                [EMAIL PROTECTED]
Digital Creations     "Zope Dealers"       http://www.zope.org

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to