Customizing roles on the sharing tab in 3.0.2

Martin Aspeli optilude at
Sun Oct 21 16:49:00 UTC 2007

Derek Richardson wrote:

> I'm replying to my post, rather than Martin's, because I ended up doing 
> something that he mentioned on irc but not in his post: overriding the 
> of the sharing view to filter out all roles other than the ones I 
> defined. That way I minimize the damage I've done to plone core. The roles don't 
> go away and I can always revert to them, they just don't show up as options for 
> users to select. This is all working now. Yay!
> New questions:
> 1 - Is there a way to get plone.recipe.zope2instance to install my 
> overrides.zcml? The zcml config option doesn't seem to do this and I didn't see 
> an 'overrides' option in the docs on pypi. I had to create my slug manually.

Yes. You do

  zcml =

I thought we'd documented that, but maybe we forgot?

> 2 - So, in the original site, the configuration (not done by me, though, a year 
> ago, I wouldn't have known better, either) was done TTW and the existing roles 
> were repurposed rather than creating brand-new roles. In my new filesystem 
> package that does roles and workflows, I'm defining new roles starting with a 
> prefix (that will hopefully remain unique) to now use in the workflows. The 
> problem is migrating the old role names and mappings to the new role names. This 
> is complicated by the fact that, since we didn't create our own roles but 
> repurposed existing ones, I'm betting the 3.0 migrates the repurposed roles to 
> be the new roles.

We never changed any roles, we only added new ones.

> If I am wrong in this assumption, then I merely need to 
> migrate the old local role assignments to the new names. But, if I'm right, then 
> I need to migrate the 3.0-equivalents to the new names. Pointer to the migration 
> code (I've never looked either for or at the Plone migration code before)?

This is ... complicated. :) You'll need to talk the site and find 
objects where local roles may be assigned and use the RoleManager API 
(DocFinderTab is your friend) to change them. I'd try to avoid it if I 

> Also, I plan to unassign any local role assignments to the stock roles (managers 
> should only be assigned at site root and all other roles assigned will (I 
> think?) be the new roles). Does anyone see a reason why this is unwise?

There's a reason why we limited the selectable local roles in 3.0. :)

> 3 - In our site, we use workflow to control visibility of items (owner-only, 
> owners-readers-writers, all logged in users, and anyone including anonymous). 
> We're on an intranet, so content starts out in a fairly restricted state and 
> owners can choose to open it up. With the advent of the 'logged in users' 
> virtual group in 3.0 (woo hoo!), we can now almost use the sharing tab alone to 
> control visibility. This would be a great win, as none of our users really 
> understand the workflow + sharing tab combo. The only thing standing in our way 
> is the lack of a 'world' virtual group that includes anonymous. I would like to 
> write the code for this, but the lack of it in Plone 3.0 gives me pause, as I 
> would think that, if this were not a Bad Idea (tm), it would already be there. 
> So, is there a solid reason for not doing this?

We actually wanted this for 3.0 but didn't have time: A kind of group 
you can assign on the sharing tab that includes Anonymous. You may be 
able to do it by looking at the existing Authenticated Users virtual 
group, which is just a PAS plug-in.

In case you didn't know, Zope security works so that if something is 
granted to Anonymous (the role) then it doesn't matter what other roles 
you have: you always have this permission.

> A promise:
> After this gets done, I think I will have written a fairly comprehensive 
> security (roles and workflows and sharing tab) package for Plone 3.0. I will 
> document this in a How-To on (unless someone convinces me the what 
> I've done is horrible and others shouldn't be encouraged to do the same). 

Maybe you should show us the code first? Thanks for wanting to document, 

> I 
> still feel bad, Martin, for never getting the time to send suggestions for 
> improving the testing How-To as I had said I would, so consider this an an 
> attempt to compensate. ;)


I'd forgotten the promise and we've refactored it already, so that's OK.

Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See

More information about the Product-Developers mailing list