The system does not do any further security authorization automatically. There are two ways to address this. One is to insert appropiate calls to the security check function ($_obweb->has($a, $b, $c)). This is generally the way that access to specific records within a database would be handled. See the NEWS modules and how they handle restricted categories for an example. The second method would be to create a separate function, and use that as a parameter in the SLOT definition. So, you could created functions news_show_all() and news_show_unrestricted(). Depending on which function was called, you could determine what to show.
For example, language configuration can be used by anybody who has modlang operation for module core. An user will have modlang operation if he belongs to a group that has this operation. At present there is no code written to assign a security object directly to a user. You would need to manually update the database table.
![[Warning]](images/admonitions/warning.png) | Never check for users or groups |
|---|---|
It's not a good idea to grant permissions checking for a specific user or group id, but you have to check if he has a given operation. Add a new one only if an appropriate operation doesn't exist. | |