On Wed, 11 Apr 2007 11:11:51 -0400, Stan McFarland <[EMAIL PROTECTED]> wrote:


I have what I think is a fairly simple use case for my Plone site. I want to be able to add a local role dynamically based on two factors - the content of
the object, and a given external condition.  So I've written a local role
plugin, where getRolesInContext() checks these two factors and returns either an empty list or a list containing one item - the new role. This seems to work well. It's the checkLocalRolesAllowed() method I'm having problem with. My
logic looks like:

if object has specific content:
  if external condition is true:
    return 1
    return None
return None

From looking at the PlonePAS code, it appears that the PloneUser class iterates
through all of the LocalRole plugins, and continues until one of the plugins returns something other than None. But what happens is that the user is still denied access to the object. If I change the last return to "1", the user can
access the object, but naturally gets access to everything else as well.

Am I missing some basic logic here?

the local roles plugin logic in plonepas user is of a shortcircuit variety, so this is dependent on plugin ordering in addition to return values, ie. if you have the default local role plugin active and and higher precedent, and it return something non none, your plugin won't be called, and you likely won't have the role. arguably this is a bug in plonepas.

a quick way to check this and roles in general, is put together a python script that shows the users roles and permissions in context, as a quick example, here's one i use on occassion (check_roles).. and just invoke by in the url after the context, by appending check_roles.

member = context.portal_membership.getAuthenticatedMember()
print "uid", member.getId()
print "email", member.getProperty('fullname'), member.getProperty('email')
print "groups", member.getGroups()
print "roles context", member.getRolesInContext( context )
print "perm reply", context.portal_membership.checkPermission('Reply to item', context) print "perm add", context.portal_membership.checkPermission('Add portal content', context) print "perm modify", context.portal_membership.checkPermission('Modify portal content', context)
print "discuss", context.portal_discussion.isDiscussionAllowedFor(context)

return printed


Zope-PAS mailing list

Reply via email to