Personal tools
You are here: Home Documentation Tutorials Permissions Tutorial Defining Roles

Defining Roles

Permissions can be grouped together in Roles, which makes granting all the permissions for a particular type of user much easier. Defining roles is similar to defining permissions.
Zope 3 and Grok come with authorization capabilities out of the box. While a vanilla Zope 3 application protects all content by default and performs authorization checks on the content objects themselves, Grok allows access to everything unless you explicitly restrict it. The authorization checks here are done based on the Views used to access (display/manipulate) the content.
Page 5 of 5.

As an example, let's group all permissions in two roles: one for normal site members, and one for administrators:

class MemberRole(grok.Role):
    grok.name('mysite.Member')
    grok.title('Contacts Member') # optional
    grok.permissions(
        'mysite.ViewContacts',
        'mysite.AddContacts')

class AdministratorRole(grok.Role):
    grok.name('mysite.Administrator')
    grok.title('Contacts Administrator') # optional
    grok.permissions(
        'mysite.ViewContacts',
        'mysite.AddContacts',
        'mysite.EditContacts')

Now, if the context here is the site/application, users with the administrator role can edit all ContactInfos, regardless of who the creator is.

# note: securitypolicy package moved in Grok 0.12+ from zope.app. to zope.
from zope.securitypolicy.interfaces import IPrincipalRoleManager

role_man = IPrincipalRoleManager(context)
role_man.assignRoleToPrincipal('mysite.Administrator', principalID)