Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rolemap importer offers no way to append roles into existing permissions #8

Open
tseaver opened this issue May 22, 2015 · 1 comment
Open

Rolemap importer offers no way to append roles into existing permissions #8

tseaver opened this issue May 22, 2015 · 1 comment

Comments

@tseaver
Copy link
Member

tseaver commented May 22, 2015

In https://bugs.launchpad.net/zope-cmf/+bug/1227290, @seanupton reported:

If a GenericSetup base profile defines a set of roles for a permission in its rolemap.xml, it is impossible to supplement (append) roles to that permission from an extension profile. Rather, the extension profile rolemap.xml must include duplicative (all) roles (for each permission) listed in upstream base profile and cannot merely supplement.

I have verified the outcome of this looking at manage_access in a Plone site, and by reviewing the code.

AccessControl.rolemanager.RoleManager.manage_permission() is passed only what is explicitly in the rolemap.xml for an extension profile by Products.GenericSetup.rolemap.importRolemap(). Permission.setRoles() does a setattr() replacement of the roles tuple/list in each permission. The consequence of this is that it is impossible to merge/supplement/append roles.

The work-around is to copylift and duplicate all roles listed in upstream package profiles.

Note: ac_roles is fine, is supplemented correctly. This is a per-permission mapping issue.

Versions: Zope: 2.13.21, Products.GenericSetup 1.7.4, Products.CMFCore 2.2.7 on Python 2.7.3
@frisi
Copy link
Member

frisi commented Jun 5, 2018

this is how i worked around this limitation in a custom upgrade step:

    portal = api.portal.get()
    role = 'NewRole'
    permission = 'My Permission'

    # add the new role
    existing_roles = list(portal.__ac_roles__)
    if role not in existing_roles:
        portal.__ac_roles__ = tuple(existing_roles + [role])

    # rolemap.xml does not allow to add a single
    # role to a permission and leave the other roles untouched
    # see https://github.com/zopefoundation/Products.GenericSetup/issues/8
    roles = [
        item['name']
        for item in portal.rolesOfPermission(permission)
        if item['selected'].lower() == 'selected']
    acquire = portal.acquiredRolesAreUsedBy(permission).lower() == 'checked'
    if role not in roles:
        portal.manage_permission(permission, [roles] + [role], acquire)

i guess this code can pretty much be re-used in https://github.com/zopefoundation/Products.GenericSetup/blob/1.10.0/Products/GenericSetup/rolemap.py#L100

all that needs to be done is to add support for purging exising roles or not

    <permission
        name="My Permission"
        acquire="True"
        purge="False">
      <role name="NewRole"/>
    </permission>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tseaver @frisi