Hi,
I'm debugging now. I encountered a little complicated situation. I
added "role:contributor" and modified
security.py/populate.py/workflow.zcml as follows.
kotti/security.py
SITE_ACL = [
['Allow', 'system.Everyone', ['view']],
['Allow', 'role:viewer', ['view']],
['Allow', 'role:editor', ['view', 'add', 'edit', 'state_change']],
['Allow', 'role:owner', ['view', 'add', 'edit', 'manage',
'state_change']],
['Allow', 'role:contributor', ['view', 'add']],
]
kotti/populate.py (for debugging)
def populate():
if DBSession.query(Node).count() == 0:
root = Document(**_ROOT_ATTRS)
root.__acl__ = SITE_ACL
print 'SITE_ACL:'
print root.__acl__
DBSession.add(root)
root['about'] = Document(**_ABOUT_ATTRS)
wf = get_workflow(root)
if wf is not None:
DBSession.flush() # Initializes workflow
print 'after DBSession.flush():'
print root.__acl__
wf.transition_to_state(root, None, u'public')
print 'after wf.transition_to_state(root, None,
"public"):'
print root.__acl__
kotti/workflow.zcml
<state name="public" callback="kotti.workflow.workflow_callback">
.. (snip) ..
<key name="role:contributor" value="view" />
</state>
I got some debug output as follows when a root content was populated.
SITE_ACL:
[['Allow', 'system.Everyone', ['view']],
['Allow', 'role:viewer', ['view']],
['Allow', 'role:editor', ['view', 'add', 'edit', 'state_change']],
['Allow', 'role:owner', ['view', 'add', 'edit', 'manage', 'state_change']],
['Allow', 'role:contributor', ['view', 'add']]]
after DBSession.flush():
[('Allow', 'role:owner', u'view'),
('Allow', 'role:owner', u'add'),
('Allow', 'role:owner', u'edit'),
('Allow', 'role:owner', u'manage'),
('Allow', 'role:owner', u'state_change'),
('Allow', 'role:viewer', u'view'),
('Allow', 'role:editor', u'view'),
('Allow', 'role:editor', u'add'),
('Allow', 'role:editor', u'edit'),
('Allow', 'role:editor', u'state_change'),
('Deny', 'system.Everyone', <pyramid.security.AllPermissionsList
object at 0x23998d0>)]
after wf.transition_to_state(root, None, "public"):
[('Allow', 'role:contributor', u'view'),
('Allow', 'role:owner', u'view'),
('Allow', 'role:owner', u'add'),
('Allow', 'role:owner', u'edit'),
('Allow', 'role:owner', u'manage'),
('Allow', 'role:owner', u'state_change'),
('Allow', 'role:viewer', u'view'),
('Allow', 'role:editor', u'view'),
('Allow', 'role:editor', u'add'),
('Allow', 'role:editor', u'edit'),
('Allow', 'role:editor', u'state_change'),
('Allow', 'system.Everyone', u'view'),
('Deny', 'system.Everyone', <pyramid.security.AllPermissionsList
object at 0x23998d0>)]
After "wf.transition_to_state(root, None, u'public')" is executed,
"('Allow', 'role:contributor', u'view')" attribute is added by
referring to workflow.zcml. To be able to add a document to root
content by a user with "role:contributor", it need an "add"
permission. However, I don't want to set "add" permission for
"role:contributor" in workflow.zcml, because another user with
"role:contributor" can add any private contents.
I don't know why "role:contributor" attribute is not added to
root.__acl__ when "root.__acl__ = SITE_ACL" is set and
"DBSession.flush()" is executed. Is my thinking something wrong?
thanks,
Tetsuya
> --
>
>