[Zope-PAS] Re: Failure authorizing with PlonePAS and pubcookie

Tres Seaver tseaver at palladion.com
Tue Feb 13 17:33:19 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Gilbert wrote:
> Thanks for responding.
> 
> The multi-plugin was written by Cris (cc'd above) here at UW.  The 
> plugin isn't incredibly invasive, and in fact at one point it seemed to 
> be working so I tend to assume that it may be a 
> configuration/installation/human error.  If you'd like to take a look at 
> it, I've copied a tarball and the extracted contents out to 
> http://staff.washington.edu/mdgilb/ for perusal.  We've done a fair 
> amount of debugging to the plugin and haven't found a blaring error yet, 
> but it is possible we missed something.
> 
> The main problem that we seem to be having seems related to the context 
> of the installation - if the plugin is installed at the zope root 
> acl_users folder, only users listed in that folder with the manager role 
> will have their permission reflected on all plone sites underneath.  If 
> the plugin is installed under a plone site's acl_users folder, users 
> with the manager role in that site have the proper permissions, but root 
> level managers (ie zope admins) will have a limited set of rights - once 
> the plugin is enabled for the final plugin type, trying to view all 
> available plugin types again (/<SiteName>/acl_users/plugins) will result 
> in a list of Undo options instead of the expected Plugin Types.

The plugin likely needs to check with the "parent" user folder, if any,
for role assignments, as well as looking in its own map.  Likewise for
group membership, if your roles are assigned to groups, rather than
directly to users.

In general, I would break apart the idea of group membership, which is
typically done globally (within the entire scope of the user folder),
from role assignment.  Mostly, I avoid doing "global" role assignment,
preferrning instead to grant roles to the groups as "local roles".

I'm also pretty convinced that you don't really want or need more than
one user folder, in general at the root of the Zope database:  the
complexity caused by nesting user folders outweighs any benefit I've
ever identified.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF0jyv+gerLs4ltQ4RAiFaAKCKJf897RMLV39yKlZoV0rlW/ANcACfYTUx
T34/GSvf/Olx+61okMeAA8k=
=/uRC
-----END PGP SIGNATURE-----


More information about the Zope-PAS mailing list