1.2.5.1 Using Roles

Role based authorisation is the reccommended way of using the web.auth module as it is more powerful and flexible than using access levels. Of course, you can if you wish combine access levels and roles by specifying both.

Before you can grant a user a particular role you must first add the role to the auth database using an admin or manager object as described earlier.

admin.addRole('add')
admin.addRole('edit')

Each user is granted different roles to different applications. If you have applications named cms and news then a particular user might be granted the role add and edit to news but only edit to cms.

admin.setRole(username='james', app='news', role='add')
admin.setRole(username='james', app='news', role='edit')
admin.setRole(username='james', app='cms', role='edit')

The user can then be authorised based on their roles:

>>> user = admin.user('james')
>>> user.authorise(app='cms', role='add')
0
>>> user.authorise(app='cms', role='edit')
1
>>> user.authorise(app='news', role='add')
1
>>> user.authorise(app='news', role='edit')
1

To obtain a user's roles you can do one of the following:

>>> user = admin.user('james')
>>> user.roles
{'cms':['edit'], 'news':['add','edit']}
>>> admin.roles(username='james', app='cms')
'edit'

There are also methods for roleExists(), removeRole and unsetRole().