[Setup] Re: Nested group membership doesn't work?
Giovanni Toffoli
toffoli at uni.net
Thu Jun 25 13:33:43 UTC 2009
Hi David,
but is this the appropriate list for this kind of issues?
Anyway,
> I have the same problem.
> I've read somewhere that in PlonePAS role inheritance for members of nested groups hasn't been implemented at all.
> I'm trying to solve the problem by extending
> - the function/method def _getAllLocalRoles(self, context) in PlonePAS/pas.py
> - the method def _get_principal_ids(self, user): in borg.localrole/workspace.py
> but probably somebody with better knowledge of the PAS/PlonePAS architecture could do better.
I've just posted 2 comments with some code to Ticket #9317in the Plone issue tracker ("Subgroups and associated roles not working"):
http://dev.plone.org/plone/ticket/9317
Regards, Giovanni
----- Original Message -----
From: Giovanni Toffoli
To: David Hostetler ; setup at lists.plone.org
Sent: Thursday, June 25, 2009 12:43 AM
Subject: Re: [Setup] Re: Nested group membership doesn't work?
Hi David,
it seems that group and role management in recent versions of Plone, that use PAS, PlonePAS and borg.localrole, has many leaks.
I am surprised of how much it has been neglected compared to other functional areas.
> When I add one group as a member of another ..,
> .. that relationship isn't displayed when I view the members of the parent group
I've found that it works if, in prefs_group_members.cpt, you replace
groupMembers group/getGroupMembers|nothing;
with
groupMembers python: gtool.getGroupMembers(groupname);
> But when I try to exercise some permission that would be afforded by the nested group membership,
> it acts as though the relationship doesn't exist
I have the same problem.
I've read somewhere that in PlonePAS role inheritance for members of nested groups hasn't been implemented at all.
I'm trying to solve the problem by extending
- the function/method def _getAllLocalRoles(self, context) in PlonePAS/pas.py
- the method def _get_principal_ids(self, user): in borg.localrole/workspace.py
but probably somebody with better knowledge of the PAS/PlonePAS architecture could do better.
Does somebody know where to find information on the past evolution and the planned (?) evolution of the architecture of user/group/role management in Plone ?
Regards, Giovanni
----- Original Message -----
From: David Hostetler
To: setup at lists.plone.org
Sent: Wednesday, June 24, 2009 9:30 PM
Subject: [Setup] Re: Nested group membership doesn't work?
Bump -- still hoping for some insight into this issue.
Thanks.
-David Hostetler
On Thu, Jun 18, 2009 at 18:16, David Hostetler <negativesum at gmail.com> wrote:
When I add one group as a member of another (through plone, via the groups overview in site setup), that relationship isn't displayed when I view the members of the parent group. And yet if I look in acl_users/source_groups in the ZMI, I see the nested group membership correctly. But when I try to exercise some permission that would be afforded by the nested group membership, it acts as though the relationship doesn't exist.
I.e.: JoeUser is a member of GroupChild. GroupChild was added as a member of GroupParent. GroupParent is assigned, say, the Editor role. When logged in as JoeUser, I can't do things that I should be able to do, afforded to me via my indirect membership in GroupParent.
I know everything else is wired up right, because if I just assign GroupChild the same role, then all works as expected. Similarly, if I just give GroupParent the role, but then explicitly put JoeUser in GroupParent, all works as expected.
So despite the description in the groups overview UI, adding one group to another seemingly doesn't work at all. Some of the underlying zope machinery seems to make note of the relationship, but Plone is oblivious to it.
Note that I also didn't see anything that looked like an error or warning or anything in the logs when doing this.
If I don't filter Unauthorized errors, I see this:
Unauthorized: Your user account does not have the required permission. Access to 'Title' of (ATDocument at /Plone/index) denied. Your user account, testuser, exists at /Plone/acl_users. Access requires one of the following roles: ['Contributor', 'Editor', 'Manager', 'Owner', 'Reader']. Your roles in this context are ['Authenticated', 'Member'].
The user should have the 'Editor' role in that context. Plone clearly is not exercising the nested indirection of group memberships.
regards,
-David Hostetler
----------------------------------------------------------------------------
_______________________________________________
Setup mailing list
Setup at lists.plone.org
http://lists.plone.org/mailman/listinfo/setup
------------------------------------------------------------------------------
_______________________________________________
Setup mailing list
Setup at lists.plone.org
http://lists.plone.org/mailman/listinfo/setup
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.plone.org/pipermail/setup/attachments/20090625/561c6f28/attachment.htm
More information about the Setup
mailing list