[Product-Developers] How to assign local roles using the website?

Sean Upton sdupton at gmail.com
Wed Dec 7 19:56:35 UTC 2011


On Wed, Dec 7, 2011 at 6:03 AM, Maarten Nieber <maarten at usecm.com> wrote:

> However, when I open the sharing tab, I see a mapping from "specific users or
> groups" to permissions (can view, can edit, etc), not to roles.

You are dealing with roles, the sharing tab UI just fools otherwise,
unfortunately.

I'm always a bit deflated that Plone papered over the distinction
between roles and permissions on the sharing page.  It is a leaky
abstraction.  The help text has things like "inherit permission" --
that does not do what you think it means.  And the column headings
don't match roles in workflow defitions or ZMI manage_access.   So
really, one is better off customizing the sharing tab UI to show the
role names in addition to the capability label.

IMHO, Plone should really do something like this for the heading of
sharing page columns:

<th>
  <h2>Contributor</h2>
  <h4>(Can add)</h4>
</th>

... and change the help text for "inherit permissions" to use more
accurate terminology (along with any translations).

The default roles and their column names:

Contributor -> "Can add"
Editor -> "Can edit"
Reviewer -> "Can review"
Reader -> "Can view"

Sharing page local roles are generally inherited, so don't over-use
them -- this can make it hard to block access to certain folders
deeper in your hierarchy when a user or group has access to the
parent.

If you application needs more than this in the sharing tab, see
http://plone.org/documentation/kb/add-new-roles-to-the-sharing-page

The permissions for these roles are managed either in inherited roles
from the plone site (from rolemap.xml in setup), and from workflow
state permissions definitions (which act as a template that the
workflow applies to your content).

Sean


More information about the Product-Developers mailing list