After playing around last night, I found a hackish workaround for my problem.  Instead of trying to delete the user's local roles, I just assign a bogus role (eg. "Dummy") to the user in that folder. This replaces the "Broker" role and removes the user's accreditation for that product.  I'd still appreciate it if someone can enlighten me on why the below does not work.

Etienne

-----Original Message-----
From: Etienne Labuschagne [mailto:ELabuschane@gmsonline.co.za]
Sent: Tuesday, November 12, 2002 8:26 PM
To: 'zope@zope.org'
Subject: [Zope] Managing local roles with a script

I have a CMF site.  In the site there are three folders, A, B and C which I call products.  To view a product you need the "Broker" role.

I want to be able to "accredit" a user for any combination of product A, B and C.  Thus I wrote a script, assigning the local Role "Broker" to a user for the folder A, B or C (according to his accreditation).

This works fine.
I also want to be able to remove the accreditation.  So I wrote a script that removes the local roles for those accreditations that were removed.

My problem is with the removing.  The script has proxy role Manager, Broker (and just about anything else by now!) but I cannot get it to remove the roles.

In the script I have tried:
productFolder.manage_delLocalRoles([userId])
AND
context.portal_membership.deleteLocalRoles(productFolder, [userId])
Out of the source I understand why the latter doesn't work - it ignores proxy roles and uses manage_delLocalRoles anyway.  Why doesn't the first one also not work?  Does it also ignore proxy roles?  The script works if I am logged in as "Manager", but I want a "BrokerManager" user to also be able to use this script without giving him full "Manager" rights.

B.t.w. the above fails silently, no exception, the role removal just doesn't happen.
Thanks
Etienne