Nested group membership doesn't work?
|
|
|
David Hostetler
()
Nested group membership doesn't work?
|
|
||||||||||||
|
When I add one group as a member of another (through plone, via the groups overview in site setup), that relationship isn't displayed when I view the members of the parent group. And yet if I look in acl_users/source_groups in the ZMI, I see the nested group membership correctly. But when I try to exercise some permission that would be afforded by the nested group membership, it acts as though the relationship doesn't exist.
I.e.: JoeUser is a member of GroupChild. GroupChild was added as a member of GroupParent. GroupParent is assigned, say, the Editor role. When logged in as JoeUser, I can't do things that I should be able to do, afforded to me via my indirect membership in GroupParent. I know everything else is wired up right, because if I just assign GroupChild the same role, then all works as expected. Similarly, if I just give GroupParent the role, but then explicitly put JoeUser in GroupParent, all works as expected. So despite the description in the groups overview UI, adding one group to another seemingly doesn't work at all. Some of the underlying zope machinery seems to make note of the relationship, but Plone is oblivious to it. Note that I also didn't see anything that looked like an error or warning or anything in the logs when doing this. If I don't filter Unauthorized errors, I see this: Unauthorized: Your user account does not have the required permission. Access to 'Title' of (ATDocument at /Plone/index) denied. Your user account, testuser, exists at /Plone/acl_users. Access requires one of the following roles: ['Contributor', 'Editor', 'Manager', 'Owner', 'Reader']. Your roles in this context are ['Authenticated', 'Member']. The user should have the 'Editor' role in that context. Plone clearly is not exercising the nested indirection of group memberships. regards, -David Hostetler _______________________________________________ Setup mailing list [hidden email] http://lists.plone.org/mailman/listinfo/setup |
||||||||||||||
|
cewing
()
Re: Nested group membership doesn't work?
|
|
||||||||||||
David, Take a look at the recursive groups plugin in acl_users. Add one and activate it, that should take care of the problem. c |
||||||||||||||
|
|
David Hostetler
()
Re: Nested group membership doesn't work?
|
|
||||||||||||
|
In reply to this post
by David Hostetler
Bump -- still hoping for some insight into this issue.
Thanks. -David Hostetler On Thu, Jun 18, 2009 at 18:16, David Hostetler <[hidden email]> wrote: When I add one group as a member of another (through plone, via the groups overview in site setup), that relationship isn't displayed when I view the members of the parent group. And yet if I look in acl_users/source_groups in the ZMI, I see the nested group membership correctly. But when I try to exercise some permission that would be afforded by the nested group membership, it acts as though the relationship doesn't exist. _______________________________________________ Setup mailing list [hidden email] http://lists.plone.org/mailman/listinfo/setup |
||||||||||||||
|
Giovanni Toffoli
()
Re: Re: Nested group membership doesn't work?
|
|
||||||||||||
|
Some javascript/style in this post has been disabled (why?)
Hi David,
it seems that group and role management in recent
versions of Plone, that use PAS, PlonePAS and borg.localrole, has many
leaks.
I am surprised of how much it has been neglected
compared to other functional areas.
> When I add
one group as a member of another ..,
> .. that
relationship isn't displayed when I view the members of the parent
group
I've found that it works if, in
prefs_group_members.cpt, you replace
groupMembers
group/getGroupMembers|nothing;
with
groupMembers python:
gtool.getGroupMembers(groupname);
> But when I try to exercise some permission that would be afforded by
the nested group membership,
> it acts as though the relationship doesn't exist
I have the same problem.
I've read somewhere that in PlonePAS role
inheritance for members of nested groups hasn't been implemented at
all.
I'm trying to solve the problem by
extending
- the function/method def _getAllLocalRoles(self,
context) in PlonePAS/pas.py
- the method def _get_principal_ids(self, user): in
borg.localrole/workspace.py
but probably somebody with better knowledge of the
PAS/PlonePAS architecture could do better.
Does somebody know where to find information on the
past evolution and the planned (?) evolution of the architecture of
user/group/role management in Plone ?
Regards, Giovanni
_______________________________________________ Setup mailing list [hidden email] http://lists.plone.org/mailman/listinfo/setup |
||||||||||||||
|
|
Giovanni Toffoli
()
Re: Re: Nested group membership doesn't work?
|
|
||||||||||||
|
Some javascript/style in this post has been disabled (why?)
Hi David,
but is this the appropriate list for this kind of
issues?
Anyway,
> I have the same problem.
> I've read somewhere that in PlonePAS
role inheritance for members of nested groups hasn't been implemented at
all.
> I'm trying to solve the problem by
extending
> - the function/method def
_getAllLocalRoles(self, context) in PlonePAS/pas.py
> - the method def _get_principal_ids(self,
user): in borg.localrole/workspace.py
> but probably somebody with better knowledge of
the PAS/PlonePAS architecture could do better.
I've just posted 2 comments with some code to
Ticket #9317in the Plone issue tracker ("Subgroups and associated roles not
working"):
Regards, Giovanni ----- Original Message -----
_______________________________________________ Setup mailing list [hidden email] http://lists.plone.org/mailman/listinfo/setup |
||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
