[Zope] Anyone know of a tool to restore/cleanup/reset security/role settings?

Ross Patterson me at rpatterson.net
Mon Dec 1 13:29:59 EST 2008

"Alexander Limi" <limi at plone.org> writes:

> On Sat, 29 Nov 2008 15:19:10 -0800, Ross Patterson  
> <me at rpatterson.net> wrote:
>> Yeah, I did see that and no it doesn't look like it resets anything.  It
>> also looks like it's only concerned with local roles and I need to reset
>> the role mappings too.  But thanks anyways!
>> Keep an eye out for collective.securitycleanup.  :)
> Cool, I will. It's a very frequently asked question — "how can I get back  
> to the state my site was in before I started messing with security?" :)

I've released it:



GenericSetup handlers to restore Zope security to defaults

WARNING: Backup your ZODB before using this package!

The Zope 2 security framework is very powerful and one of it's greatest
strengths. A lot of it's power comes from it's flexibility. Exposing
that power to site adminsitrators often ends up giving them enough rope
to hang themselves with. This is exactly what the "Security" tab in the
ZMI does.

In many cases, a site admin or consultant is faced with the daunting
task of restoring all the security settings throughout the Zope object
heirarchy in order to bring sanity and predictability back to the
site. The collective.securitycleanup package provides GenericSetup
handlers for restoring the role mappings and local roles back to their
defaults. This handler can be used in combination with existing handlers
to set role mappings and to re-apply workflow security settings to help
start the process of security cleanup.

The clean up is performed on all ancestors including the Zope
application root and by walking down the heirarchy to all
descendants. This means all descendents of the context the handler is
used on and all ancestors of the context including the root will be
cleaned up. It will not clean up siblings or anything else that is not a
direct ancestor to the context.

The clean up removes all permission settings stored on the instance
which effectively restores them to code defaults. The clean up also
removes all local roles except the "Owner" role for the user returned by
OFS.interfasces.IOwned.getOwnerTuple() if already assigned.

Use of this tool will likely only ever be a starting point. So be sure
to test thoroughly before deploying to your production server and backup
your ZODB before using it.


More information about the Zope mailing list