[Setup] Nested group membership doesn't work?

David Hostetler negativesum at gmail.com
Thu Jun 18 22:16:32 UTC 2009


When I add one group as a member of another (through plone, via the groups
overview in site setup), that relationship isn't displayed when I view the
members of the parent group.  And yet if I look in acl_users/source_groups
in the ZMI, I see the nested group membership correctly.   But when I try to
exercise some permission that would be afforded by the nested group
membership, it acts as though the relationship doesn't exist.

I.e.: JoeUser is a member of GroupChild.  GroupChild was added as a member
of GroupParent.  GroupParent is assigned, say, the Editor role.  When logged
in as JoeUser, I can't do things that I should be able to do, afforded to me
via my indirect membership in GroupParent.

I know everything else is wired up right, because if I just assign
GroupChild the same role, then all works as expected.  Similarly, if I just
give GroupParent the role, but then explicitly put JoeUser in GroupParent,
all works as expected.

So despite the description in the groups overview UI, adding one group to
another seemingly doesn't work at all.  Some of the underlying zope
machinery seems to make note of the relationship, but Plone is oblivious to
it.

Note that I also didn't see anything that looked like an error or warning or
anything in the logs when doing this.

If I don't filter Unauthorized errors, I see this:

Unauthorized: Your user account does not have the required permission.
Access to 'Title' of (ATDocument at /Plone/index) denied. Your user account,
testuser, exists at /Plone/acl_users. Access requires one of the following
roles: ['Contributor', 'Editor', 'Manager', 'Owner', 'Reader']. Your roles
in this context are ['Authenticated', 'Member'].

The user should have the 'Editor' role in that context.  Plone clearly is
not exercising the nested indirection of group memberships.


regards,


-David Hostetler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.plone.org/pipermail/setup/attachments/20090618/a5527f1a/attachment.htm


More information about the Setup mailing list