On Wed, Dec 7, 2011 at 6:03 AM, Maarten Nieber <[email protected]> wrote:
> However, when I open the sharing tab, I see a mapping from "specific users or > groups" to permissions (can view, can edit, etc), not to roles. You are dealing with roles, the sharing tab UI just fools otherwise, unfortunately. I'm always a bit deflated that Plone papered over the distinction between roles and permissions on the sharing page. It is a leaky abstraction. The help text has things like "inherit permission" -- that does not do what you think it means. And the column headings don't match roles in workflow defitions or ZMI manage_access. So really, one is better off customizing the sharing tab UI to show the role names in addition to the capability label. IMHO, Plone should really do something like this for the heading of sharing page columns: <th> <h2>Contributor</h2> <h4>(Can add)</h4> </th> ... and change the help text for "inherit permissions" to use more accurate terminology (along with any translations). The default roles and their column names: Contributor -> "Can add" Editor -> "Can edit" Reviewer -> "Can review" Reader -> "Can view" Sharing page local roles are generally inherited, so don't over-use them -- this can make it hard to block access to certain folders deeper in your hierarchy when a user or group has access to the parent. If you application needs more than this in the sharing tab, see http://plone.org/documentation/kb/add-new-roles-to-the-sharing-page The permissions for these roles are managed either in inherited roles from the plone site (from rolemap.xml in setup), and from workflow state permissions definitions (which act as a template that the workflow applies to your content). Sean _______________________________________________ Product-Developers mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-product-developers
