[Zope-CMF] permissions/roles

Tres Seaver tseaver@zope.com
05 Feb 2003 16:43:48 -0500

On Tue, 2003-02-04 at 12:05, Sally Owens wrote:
> Apologies if this is something that has been covered on this list (I've 
> only just joined but a quick glance at the archives didn't answer my 
> question)...
> We want to create a user role of 'Web Manager' in our CMF site and we want 
> this user to be able to create new users but only new users *with a 
> particular role* i.e. we don't want someone in a 'Web Manager' role to be 
> able to create a new user and assign them the role of 'Manager', but we do 
> want them to be able to assign the role of 'Web Editor' to a new user (the 
> web editor role has fairly limited permissions).
> This is really a question about devolving responsibility I guess. We don't 
> want to have to set up every new user and assign them a role - we want web 
> managers to be able to set up users (for their team), but not for them to 
> be able to set up very powerful user roles for these users. Is there a way 
> of either restricting a permission (so that the permission to add a new 
> user could be restricted to only allow the creation of users with certain 
> roles) or an easy way of adding a new permission to the security tab list 
> (so that we could have some sort of 'create a new Web Editor user' permission)?
> All advice gratefully appreciated!

The brute force approach would be to write an ExternalMethod (e.g,
loaded as '/psth/to/site/portal_skins/custom/createWebEditor'), which
can do all the appropriate checking, and call all the "disallowed"
methods, which you need.

Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com