Previously Tres Seaver wrote:
> The installer for a 'Plone Site' replaces the root acl_users with a PAS:
>  I've argued that this is poor practice (inexcusably rude, actually),
> but they seem determined to continue it.

Rewriting the PlonePAS install code and checking if we can remove the
root acl_users changing logic is on my todo list. The whole PlonePAS
install code is somewhat nasty unfortunately.

> >   Now I can only add users from the ZODB User Manager under 
> > /acl_users/users, 
> > there is nowhere to add a user from an Add buttion as in the older version 
> > of 
> > Zope.
> Correct.  In PAS, there are actually potentially muttiple user sources
> (e.g,, SQL, LDAP, NTLM, etc.).  Adding them to the 'ZODB users' plugin
> is the "cognate" of the od "Add" button.

I started writing some PAS documentation recently that may give some
useful background information. You can find it at

> >   I can add roles from ZODB Role Manager in /acl_users/roles but these 
> > roles 
> > don't show up under the Security tab on any page.  I can add local roles 
> > under the Security tab and they don't show up in /acl_users/roles. 
> Correct.  The roles in the PAS plugin are used to control "global"
> grants to the users;  the roles you set on a folder (even the root), are
> about "local" grants.

The is (imho) a buglet here: creating new roles now involves creating
both in the PAS roles manager and in the ZMI security tab.
ZODBRoleManager takes a snapshot of all existing roles in its
manage_afterAdd method, but never updates that list later. 

Following your logic it would make more sense if the ZODBRoleManager
did not make a snapshot of existing roles to make the distinction
between global and local roles more obvious.

The whole local vs global roles thing always seems to get me confused

> > Am still searching the WEB and archives in the meantime.
> The better list for this would be [EMAIL PROTECTED] (CC'ed), which
> deals with PAS specifics.

How do and [EMAIL PROTECTED] related to
each-other? I've always wondered that.


Wichert Akkerman <[EMAIL PROTECTED]>    It is simple to make things.                   It is hard to make things simple.
Zope-PAS mailing list

Reply via email to