[Zope-PAS] struggling with Local Role plugin

Kapil Thangavelu hazmat at objectrealms.net
Wed Apr 11 12:09:38 EDT 2007 

On Wed, 11 Apr 2007 11:11:51 -0400, Stan McFarland <sfmcfar at gmail.com>  
wrote:

> Hi,
>
> I have what I think is a fairly simple use case for my Plone site.  I  
> want to
> be able to add a local role dynamically based on two factors - the  
> content of
> the object, and a given external condition.  So I've written a local role
> plugin, where getRolesInContext() checks these two factors and returns  
> either
> an empty list or a list containing one item - the new role.  This seems  
> to work
> well.  It's the checkLocalRolesAllowed() method I'm having problem  
> with.  My
> logic looks like:
>
> if object has specific content:
>   if external condition is true:
>     return 1
>   else:
>     return None
> return None
>
>
>> From looking at the PlonePAS code, it appears that the PloneUser class  
>> iterates
> through all of the LocalRole plugins, and continues until one of the  
> plugins
> returns something other than None.  But what happens is that the user is  
> still
> denied access to the object.   If I change the last return to "1", the  
> user can
> access the object, but naturally gets access to everything else as well.
>
> Am I missing some basic logic here?
>

the local roles plugin logic in plonepas user is of a shortcircuit  
variety, so this is dependent on plugin ordering in addition to return  
values, ie. if you have the default local role plugin active and and  
higher precedent, and it return something non none, your plugin won't be  
called, and you likely won't have the role. arguably this is a bug in  
plonepas.

a quick way to check this and roles in general, is put together a python  
script that shows the users roles and permissions in context, as a quick  
example, here's one i use on occassion (check_roles).. and just invoke by  
in the url after the context, by appending check_roles.

member = context.portal_membership.getAuthenticatedMember()
print "uid", member.getId()
print "email", member.getProperty('fullname'), member.getProperty('email')
print "groups", member.getGroups()
print "roles context", member.getRolesInContext( context )
print "perm reply", context.portal_membership.checkPermission('Reply to  
item', context)
print "perm add", context.portal_membership.checkPermission('Add portal  
content', context)
print "perm modify", context.portal_membership.checkPermission('Modify  
portal content', context)
print "discuss", context.portal_discussion.isDiscussionAllowedFor(context)

return printed


hth,

kapil

More information about the Zope-PAS mailing list