Hi David,
it seems that group and role management in recent versions of Plone, that use
PAS, PlonePAS and borg.localrole, has many leaks.
I am surprised of how much it has been neglected compared to other functional
areas.
> When I add one group as a member of another ..,
> .. that relationship isn't displayed when I view the members of the parent
> group
I've found that it works if, in prefs_group_members.cpt, you replace
groupMembers group/getGroupMembers|nothing;
with
groupMembers python: gtool.getGroupMembers(groupname);
> But when I try to exercise some permission that would be afforded by the
> nested group membership,
> it acts as though the relationship doesn't exist
I have the same problem.
I've read somewhere that in PlonePAS role inheritance for members of nested
groups hasn't been implemented at all.
I'm trying to solve the problem by extending
- the function/method def _getAllLocalRoles(self, context) in PlonePAS/pas.py
- the method def _get_principal_ids(self, user): in borg.localrole/workspace.py
but probably somebody with better knowledge of the PAS/PlonePAS architecture
could do better.
Does somebody know where to find information on the past evolution and the
planned (?) evolution of the architecture of user/group/role management in
Plone ?
Regards, Giovanni
----- Original Message -----
From: David Hostetler
To: [email protected]
Sent: Wednesday, June 24, 2009 9:30 PM
Subject: [Setup] Re: Nested group membership doesn't work?
Bump -- still hoping for some insight into this issue.
Thanks.
-David Hostetler
On Thu, Jun 18, 2009 at 18:16, David Hostetler <[email protected]> wrote:
When I add one group as a member of another (through plone, via the groups
overview in site setup), that relationship isn't displayed when I view the
members of the parent group. And yet if I look in acl_users/source_groups in
the ZMI, I see the nested group membership correctly. But when I try to
exercise some permission that would be afforded by the nested group membership,
it acts as though the relationship doesn't exist.
I.e.: JoeUser is a member of GroupChild. GroupChild was added as a member
of GroupParent. GroupParent is assigned, say, the Editor role. When logged in
as JoeUser, I can't do things that I should be able to do, afforded to me via
my indirect membership in GroupParent.
I know everything else is wired up right, because if I just assign
GroupChild the same role, then all works as expected. Similarly, if I just
give GroupParent the role, but then explicitly put JoeUser in GroupParent, all
works as expected.
So despite the description in the groups overview UI, adding one group to
another seemingly doesn't work at all. Some of the underlying zope machinery
seems to make note of the relationship, but Plone is oblivious to it.
Note that I also didn't see anything that looked like an error or warning
or anything in the logs when doing this.
If I don't filter Unauthorized errors, I see this:
Unauthorized: Your user account does not have the required permission.
Access to 'Title' of (ATDocument at /Plone/index) denied. Your user account,
testuser, exists at /Plone/acl_users. Access requires one of the following
roles: ['Contributor', 'Editor', 'Manager', 'Owner', 'Reader']. Your roles in
this context are ['Authenticated', 'Member'].
The user should have the 'Editor' role in that context. Plone clearly is
not exercising the nested indirection of group memberships.
regards,
-David Hostetler
------------------------------------------------------------------------------
_______________________________________________
Setup mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/setup
_______________________________________________
Setup mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/setup
