[Zope] Deleting a Role Doesn't Appear to Remove Permissions

[Jason Grigsby]

Today I ran into an issue in Zope where even after you delete a role that
the permissions associated with that role exist. If a user has that role
assigned to them, whatever permissions where last assigned to that role will
be available.

To test this, I created a test file with the following code:

<dtml-if "AUTHENTICATED_USER.has_permission('Set Access Rule',content)">
foo
</dtml-if>

I chose Set Access Rule as a permission that is not normally associated with
a regular user. Testing this page produced no foo because the user does not
have access to the "Set Access Rule" permission on the content object (you
could pick any Zope Object to test on).

Then I created a test role. I assigned that test role to a user. I again
tested the output and got nothing.

I then gave the test role the permission to "Set Access Rule". Now when the
page is reloaded, foo appears.

Here is where it gets interesting. After deleting the test role, foo still
appears. This means that the role, while supposedly deleted, still exists
and is still assigning permissions.

Finally, I create a new role with the same name as the test role I created
earlier. This new role had the "Set Access Rule" button already
selected--indicating in my mind that the role was never really deleted.

If I am correct about this, this means that if we create a role and then
delete it, we will need to make sure that the role does not exist for any
users or they will continue to have the access that they had before.

Has anyone else run into this or seen a reported bug similar? (I searched
the Zope Bug Collector to no avail).

-Jason