1

Suppose ADMINS is a group that has an Administrator role (site-wide).

In a different context of the Plone site (/Plone/folder) I would like to use the @@sharing view, and remove all roles from the ADMINS group and add some custom ones: the problem is that this isn't possible because Administrator role for ADMINS is site-wide.

Is it possible to remove the site-wide role for just a context in a Plone Site? Or will I have to do this by settings individual permissions on custom workflow states?

Lennart Regebro
  • 167,292
  • 41
  • 224
  • 251
Somebody still uses you MS-DOS
  • 13,029
  • 20
  • 64
  • 103

1 Answers1

3

@@sharing manages local roles and user/group roles (AKA global roles) cannot be changed via local roles. What you can do, however, is not apply the roles using the group (IOW, just leave the group without any roles), then use /Plone/@@sharing at the portal root to assign that group local roles there, then in /Plone/folder/@@sharing you can uncheck Inherit permissions from higher levels and the local roles from /Plone will not be inherited there.

Ross Patterson
  • 5,702
  • 20
  • 38
  • This makes perfectly sense. I forgot I could do @@sharing at `/Plone`. – Somebody still uses you MS-DOS Sep 13 '11 at 21:40
  • Actually, this is too obvious and simple: site-wide permissions and local are different (just checking the code for the `@@sharing` view shows that it calls `get_local_roles`), so that's why "inherit permissions" weren't working: you have to make them all local, but the trick is you make them local at the *highest possible level*. Very clever, elegant and simple. You can't imagine how simple everything my setup has become after yout tip. :) – Somebody still uses you MS-DOS Sep 13 '11 at 22:40
  • Glad to hear it but only use local roles where you need to. Avoid going hog wild with this. Global user/group roles are *much* less likely to have problems or cause performance issues. – Ross Patterson Sep 13 '11 at 22:42
  • Hum, indeed. I haven't though about performance issues. But sometimes a project have too many groups, and each group in a different context, that this granularity I'm asking for is needed. Doing this `Administrator` as a local role at `/Plone` is going to harm performance for `Anonymous`users? – Somebody still uses you MS-DOS Sep 14 '11 at 17:18