[Grok-dev] Any ideas of how to debug permissions and roles... (was:
Small problem removing roles from principals)
Sebastian Ware
sebastian at urbantalk.se
Wed Sep 19 09:48:32 EDT 2007
I am having problems tracking down a role/permission based issue. I
have created the role 'prestatics.manager' and assigned some
permissions to it. Then I have used the directive grok.require
('prestatics.EditUser') to restrict access to the edit user view.
If I assign the role 'prestatics.manager' to a new principle during
creation of that user, it seems to get the correct permissions. But
if I update it at a later time it stays unauthorised despite having
the correct role.
a) Is there an obvious mistake I am making?
b) how do I debug this in an efficient way?
Bellow is a transcript of what I have examined to try to figure out
if I have assigned the correct permissions and roles:
>>> mgr = IRolePermissionManager(grok.getSite())
>>> mgr.getRolesAndPermissions()
[('prestatics.EditUser', 'prestatics.manager', PermissionSetting:
Allow), ('prestatics.AddReport', 'prestatics.manager',
PermissionSetting: Allow), ('proton.Add', 'proton.Owner',
PermissionSetting: Allow), ('prestatics.AddUser',
'prestatics.manager', PermissionSetting: Allow),
('prestatics.EditReport', 'prestatics.manager', PermissionSetting:
Allow), ('prestatics.ViewReport', 'prestatics.editor',
PermissionSetting: Allow), ('prestatics.ViewReport',
'prestatics.manager', PermissionSetting: Allow), ('proton.Edit',
'proton.Owner', PermissionSetting: Allow),
('prestatics.EditReportContent', 'prestatics.editor',
PermissionSetting: Allow), ('prestatics.EditReportContent',
'prestatics.manager', PermissionSetting: Allow),
('prestatics.AddReportContent', 'prestatics.editor',
PermissionSetting: Allow), ('prestatics.AddReportContent',
'prestatics.manager', PermissionSetting: Allow),
('prestatics.ViewReportContent', 'prestatics.editor',
PermissionSetting: Allow), ('prestatics.ViewReportContent',
'prestatics.manager', PermissionSetting: Allow)]
>>> role_manager = IPrincipalRoleManager(grok.getSite())
>>> role_manager.getRolesForPrincipal(self.context.__name__)
[('prestatics.manager', PermissionSetting: Allow)]
...and this is the directive that causes the unauthorised problem
when I have logged in using the above user (self.context):
grok.require('prestatics.EditUser')
Mvh Sebastian
19 sep 2007 kl. 13.24 skrev Sebastian Ware:
> After further examination, the problem probably doesn't reside in
> the removing of the role, but rather that the changed permissions
> isn't recognised. I need to dig a bit further.
>
> Mvh Sebastian
>
> 19 sep 2007 kl. 11.44 skrev Sebastian Ware:
>
>> I am having problems removing roles from principals. I am using
>> the following code to "refresh" the roles assigned to a principal:
>>
>> def touch_user_roles(user):
>> pau = getUtility(IAuthentication)
>> principals = pau['principals']
>> role_manager = IPrincipalRoleManager(user)
>> role_manager.removeRoleFromPrincipal('prestatics.editor',
>> principals.prefix +
>> user.__name__)
>> role_manager.removeRoleFromPrincipal('prestatics.manager',
>> principals.prefix +
>> user.__name__)
>> if IWorkflowState(user).getState() == interfaces.PUBLISHED:
>> if user.role == 'Manager':
>> role_manager.assignRoleToPrincipal
>> ('prestatics.manager',
>>
>> principals.prefix + user.__name__)
>> elif user.role == 'Editor':
>> role_manager.assignRoleToPrincipal('prestatics.editor',
>>
>> principals.prefix + user.__name__)
>>
>> If I remove calls to "removeRoleFromPrincipal" I can add roles
>> without any problems. What am I doing wrong with the call to
>> "removeRoleFromPrincipal"?
>>
>> Mvh Sebastian
>>
>> _______________________________________________
>> Grok-dev mailing list
>> Grok-dev at zope.org
>> http://mail.zope.org/mailman/listinfo/grok-dev
>
> _______________________________________________
> Grok-dev mailing list
> Grok-dev at zope.org
> http://mail.zope.org/mailman/listinfo/grok-dev
More information about the Grok-dev
mailing list