If you want to check for a permission on a user other than the one who is currently logged in, this will not do what you'd expect:
> user.checkPermission(ModifyPortalContent, self.context)
This acquires the checkPermission() method from the MembershipTool and actually checks the permission on the currently logged-in user (authenticated member), ignoring the user object. In theory, this should do the trick:
> user.has_permission(ModifyPortalContent, self.context)
However, at least in my code, this returns False because Acquisition claims that the user object and self.context are not in the same acquisition context. What finally worked for me was:
> from plone import api
> with api.env.adopt_user(user=user):
> user.checkPermission(ModifyPortalContent, self.context)
This temporarily switches the security context to user, which is then used for permission checks. If you're not using plone.api, you'll do something like
> old_security_manager = getSecurityManager()
> newSecurityManager(getRequest(), user)
> user.checkPermission(ModifyPortalContent, self.context)
> setSecurityManager(old_security_manager)