[Zope-PAS] Re: PluggableAuthService question about roles

Wichert Akkerman wichert at wiggy.net
Tue Apr 3 03:18:31 EDT 2007 

Previously Tres Seaver wrote:
> The installer for a 'Plone Site' replaces the root acl_users with a PAS:
>  I've argued that this is poor practice (inexcusably rude, actually),
> but they seem determined to continue it.

Rewriting the PlonePAS install code and checking if we can remove the
root acl_users changing logic is on my todo list. The whole PlonePAS
install code is somewhat nasty unfortunately.

> >   Now I can only add users from the ZODB User Manager under /acl_users/users, 
> > there is nowhere to add a user from an Add buttion as in the older version of 
> > Zope.
> 
> Correct.  In PAS, there are actually potentially muttiple user sources
> (e.g,, SQL, LDAP, NTLM, etc.).  Adding them to the 'ZODB users' plugin
> is the "cognate" of the od "Add" button.

I started writing some PAS documentation recently that may give some
useful background information. You can find it at
http://plone.org/documentation/manual/pas-reference-manual

> >   I can add roles from ZODB Role Manager in /acl_users/roles but these roles 
> > don't show up under the Security tab on any page.  I can add local roles 
> > under the Security tab and they don't show up in /acl_users/roles. 
> 
> Correct.  The roles in the PAS plugin are used to control "global"
> grants to the users;  the roles you set on a folder (even the root), are
> about "local" grants.

The is (imho) a buglet here: creating new roles now involves creating
both in the PAS roles manager and in the ZMI security tab.
ZODBRoleManager takes a snapshot of all existing roles in its
manage_afterAdd method, but never updates that list later. 

Following your logic it would make more sense if the ZODBRoleManager
did not make a snapshot of existing roles to make the distinction
between global and local roles more obvious.

The whole local vs global roles thing always seems to get me confused
though.

> > Am still searching the WEB and archives in the meantime.
> 
> The better list for this would be zope-pas at lists.zope.org (CC'ed), which
> deals with PAS specifics.

How do zope-pas at zope.org and zope-pas at lists.zope.org related to
each-other? I've always wondered that.

Wichert.

-- 
Wichert Akkerman <wichert at wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.

More information about the Zope-PAS mailing list