[Setup] Re: Nested group membership doesn't work?

Giovanni Toffoli toffoli at uni.net
Thu Jun 25 13:33:43 UTC 2009


Hi David,

but is this the appropriate list for this kind of issues?

Anyway,

> I have the same problem.
> I've read somewhere that in PlonePAS role inheritance for members of nested groups hasn't been implemented at all.
> I'm trying to solve the problem by extending
> - the function/method def _getAllLocalRoles(self, context) in PlonePAS/pas.py
> - the method def _get_principal_ids(self, user): in borg.localrole/workspace.py
> but probably somebody with better knowledge of the PAS/PlonePAS architecture could do better.

I've just posted 2 comments with some code to Ticket #9317in the Plone issue tracker ("Subgroups and associated roles not working"):
http://dev.plone.org/plone/ticket/9317

Regards, Giovanni

----- Original Message ----- 
  From: Giovanni Toffoli 
  To: David Hostetler ; setup at lists.plone.org 
  Sent: Thursday, June 25, 2009 12:43 AM
  Subject: Re: [Setup] Re: Nested group membership doesn't work?


  Hi David,

  it seems that group and role management in recent versions of Plone, that use PAS, PlonePAS and borg.localrole, has many leaks.
  I am surprised of how much it has been neglected compared to other functional areas.

  > When I add one group as a member of another  ..,
  > .. that relationship isn't displayed when I view the members of the parent group

  I've found that it works if, in prefs_group_members.cpt, you replace
      groupMembers group/getGroupMembers|nothing;
  with
      groupMembers python: gtool.getGroupMembers(groupname);

  > But when I try to exercise some permission that would be afforded by the nested group membership,
  > it acts as though the relationship doesn't exist

  I have the same problem.
  I've read somewhere that in PlonePAS role inheritance for members of nested groups hasn't been implemented at all.
  I'm trying to solve the problem by extending
  - the function/method def _getAllLocalRoles(self, context) in PlonePAS/pas.py
  - the method def _get_principal_ids(self, user): in borg.localrole/workspace.py
  but probably somebody with better knowledge of the PAS/PlonePAS architecture could do better.

  Does somebody know where to find information on the past evolution and the planned (?) evolution of the architecture of user/group/role management in Plone ?

  Regards, Giovanni
    ----- Original Message ----- 
    From: David Hostetler 
    To: setup at lists.plone.org 
    Sent: Wednesday, June 24, 2009 9:30 PM
    Subject: [Setup] Re: Nested group membership doesn't work?


    Bump -- still hoping for some insight into this issue.

    Thanks.

    -David Hostetler



    On Thu, Jun 18, 2009 at 18:16, David Hostetler <negativesum at gmail.com> wrote:

      When I add one group as a member of another (through plone, via the groups overview in site setup), that relationship isn't displayed when I view the members of the parent group.  And yet if I look in acl_users/source_groups in the ZMI, I see the nested group membership correctly.   But when I try to exercise some permission that would be afforded by the nested group membership, it acts as though the relationship doesn't exist.

      I.e.: JoeUser is a member of GroupChild.  GroupChild was added as a member of GroupParent.  GroupParent is assigned, say, the Editor role.  When logged in as JoeUser, I can't do things that I should be able to do, afforded to me via my indirect membership in GroupParent.

      I know everything else is wired up right, because if I just assign GroupChild the same role, then all works as expected.  Similarly, if I just give GroupParent the role, but then explicitly put JoeUser in GroupParent, all works as expected.

      So despite the description in the groups overview UI, adding one group to another seemingly doesn't work at all.  Some of the underlying zope machinery seems to make note of the relationship, but Plone is oblivious to it.

      Note that I also didn't see anything that looked like an error or warning or anything in the logs when doing this.

      If I don't filter Unauthorized errors, I see this:

      Unauthorized: Your user account does not have the required permission.  Access to 'Title' of (ATDocument at /Plone/index) denied. Your user account, testuser, exists at /Plone/acl_users. Access requires one of the following roles: ['Contributor', 'Editor', 'Manager', 'Owner', 'Reader']. Your roles in this context are ['Authenticated', 'Member'].

      The user should have the 'Editor' role in that context.  Plone clearly is not exercising the nested indirection of group memberships.


      regards,


      -David Hostetler





----------------------------------------------------------------------------


    _______________________________________________
    Setup mailing list
    Setup at lists.plone.org
    http://lists.plone.org/mailman/listinfo/setup



------------------------------------------------------------------------------


  _______________________________________________
  Setup mailing list
  Setup at lists.plone.org
  http://lists.plone.org/mailman/listinfo/setup
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.plone.org/pipermail/setup/attachments/20090625/561c6f28/attachment.htm


More information about the Setup mailing list