Install and uninstall roles through a product

Plone Support Add-on Development
1

I am creating a workflow policies product. In it, I want to add a new role called Poweruser. I have not issues adding the role but when I uninstall the product, Poweruser does not go away. This is what I have done:
profiles/default/rolemap.xml:

<?xml version="1.0"?>
<rolemap>
  <roles>
    <role name="Anonymous"/>
    <role name="Authenticated"/>
    <role name="Contributor"/>
    <role name="Editor"/>
    <role name="Manager"/>
    <role name="Member"/>
    <role name="Owner"/>
    <role name="Poweruser"/>
    <role name="Reader"/>
    <role name="Reviewer"/>
    <role name="Site Administrator"/>
  </roles>
  <permissions>
    <permission name="Access arbitrary user session data" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="Access contents information" acquire="True">
      <role name="Contributor"/>
      <role name="Editor"/>
      <role name="Reader"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Access inactive portal content" acquire="True">
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Access session data" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="Add portal content" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Add portal folders" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Add portal member" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Allow sendto" acquire="True">
      <role name="Manager"/>
      <role name="Member"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="CMFEditions: Access previous versions" acquire="True">
      <role name="Contributor"/>
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="CMFEditions: Apply version control" acquire="True">
      <role name="Contributor"/>
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="CMFEditions: Checkout to location" acquire="True">
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="CMFEditions: Revert to previous versions" acquire="True">
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="CMFEditions: Save new version" acquire="True">
      <role name="Contributor"/>
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Change local roles" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="Content rules: Manage rules" acquire="False">
      <role name="Manager"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Copy or Move" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="Delete comments" acquire="True">
      <role name="Manager"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Delete objects" acquire="True">
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Delete own comments" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Edit comments" acquire="True">
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="FTP access" acquire="True">
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="List folder contents" acquire="True">
      <role name="Contributor"/>
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="List portal members" acquire="True">
      <role name="Manager"/>
      <role name="Member"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="List undoable changes" acquire="True">
      <role name="Manager"/>
      <role name="Member"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Mail forgotten password" acquire="True">
      <role name="Manager"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Manage properties" acquire="True">
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Modify portal content" acquire="True">
      <role name="Editor"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Modify view template" acquire="True">
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Portlets: Manage own portlets" acquire="True">
      <role name="Manager"/>
      <role name="Member"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Portlets: Manage portlets" acquire="True">
      <role name="Manager"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Portlets: View dashboard" acquire="True">
      <role name="Manager"/>
      <role name="Member"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Reply to item" acquire="False">
      <role name="Authenticated"/>
    </permission>
    <permission name="Request review" acquire="True">
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Review comments" acquire="True">
      <role name="Manager"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Review portal content" acquire="True">
      <role name="Manager"/>
      <role name="Reviewer"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Search ZCatalog" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="Set own password" acquire="False">
      <role name="Authenticated"/>
      <role name="Manager"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Set own properties" acquire="False">
      <role name="Authenticated"/>
      <role name="Manager"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Show Toolbar" acquire="False">
      <role name="Authenticated"/>
    </permission>
    <permission name="Undo changes" acquire="True">
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Use Database Methods" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="Use external editor" acquire="False">
      <role name="Authenticated"/>
      <role name="Manager"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="Use mailhost services" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="Use version control" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="View" acquire="True">
      <role name="Contributor"/>
      <role name="Editor"/>
      <role name="Reader"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="View Groups" acquire="True">
      <role name="Manager"/>
      <role name="Member"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="View History" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="View management screens" acquire="True">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="WebDAV Lock items" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="WebDAV Unlock items" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="WebDAV access" acquire="True">
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.app.contenttypes: Add Collection" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.app.contenttypes: Add Document" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.app.contenttypes: Add Event" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.app.contenttypes: Add File" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.app.contenttypes: Add Folder" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.app.contenttypes: Add Image" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.app.contenttypes: Add Link" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.app.contenttypes: Add News Item" acquire="True">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.app.event: Import Ical" acquire="True">
      <role name="Editor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="plone.resource: Export ZIP file" acquire="False">
      <role name="Manager"/>
    </permission>
    <permission name="plone.resourceeditor: Manage Sources" acquire="False">
      <role name="Manager"/>
      <role name="Site Administrator"/>
    </permission>
  </permissions>
</rolemap>

profiles/uninstall/rolemap.xml:

<?xml version="1.0"?>
<rolemap>
  <roles>
    <role name="Anonymous"/>
    <role name="Authenticated"/>
    <role name="Contributor"/>
    <role name="Editor"/>
    <role name="Manager"/>
    <role name="Member"/>
    <role name="Owner"/>
    <role name="Poweruser" remove="true"/>
    <role name="Reader"/>
    <role name="Reviewer"/>
    <role name="Site Administrator"/>
  </roles>
.
.
.

Error message: ERROR Plone Could not uninstall ncdhhspolicies.sharedservices: u'remove'

I am quite sure that I am not placing the remove="true" statement in the correct place. Any advise would be most appreciated. Thank you.

2

This is what I think (please take backup before you try this, as this is taken from memory).

  1. You do not have to add all the 'old roles', you just need to set purge="False" on roles (or maybe on role map)
  2. remove=True is not in the right place, it should be on roles (or maybe role-map)
3

remove is a generic GenericSetup attribute. However, not all handlers support the GenericSetup update directives (such as remove). The error seems to come from such a handler. Ideally, a traceback should be associated with your error (look for it in the event.log logfile). It will tell you from where the exception comes. You can then look around whether the handler supports a different attribute for deletion.

4

Epsen,

This is my uninstall and I tried rolemap purge="false" on roles or rolemap

<?xml version="1.0"?>
<rolemap>
  <roles>
    <role name="Poweruser"/>
  </roles>
</rolemap>

ERROR Plone Could not uninstall product.services: u'purge'

The same occurred for purge="remove"
ERROR Plone Could not uninstall product.services: u'remove'

5

Dieter,
The error message was the same:
ERROR Plone Could not uninstall product.services: u’remove’

6

My assumption is that the handler responsible for the rolemap does not support the (in principle standard) GenericSetup update attribute (a bug/weakness in the handler). It may support a different update attribute with the effect of "remove".

The easiest way to locate the responsible handler would be to look at the traceback associated with the error (I hope you find this in the log file event.log). Once the handler located, you can look in its code whether it support role deletion and how it does so.

When I remember right, you can also find the handler in the Import tab of the portal_setup object in your portal. Again, once located, you would need to look at the handler code (see above).

7

Dieter,

This is what I see in my event.log:

2018-06-29T14:54:20 INFO Products.GenericSetup.tool Importing profile profile-product.services:uninstall with dependency strategy upgrade.
------
2018-06-29T14:54:20 INFO Products.GenericSetup.tool Applying main profile profile-product.services:uninstall
------
2018-06-29T14:54:21 ERROR Plone Could not uninstall product.services: u'remove'
8

From what I see in the Plone code in
Products/GenericSetup/rolemap.py
there is no provision to remove a role at this point.

I remember having seen that GenericSetup can add a fully custom install step, maybe this could be done with a bit of Python code.

9

That is sad: another weakness in the GenericSetup handling: it should log full error information.

However, I had anticipated this possibility and indicated another way to locate the responsible handler. Fortunately, gp54321 has done this work for you: he has located the handler in Products/GenericSetup/rolemap.py and found out that it (sadly) does not support role deletion (neither via the remove attribute nor otherwise). As a workaround, he proposed that you do the removal in your own GenericSetup handler (documented in the GenericSetup documentation). This is a bit difficult: you must not only understand how roles can be deleted but also quite a bit of GenericSetup handlers and how you ensure that the are activated (if and only if they should get activated).

You might consider to file a GenericSetup bug report: its "rolemap" handler should support the remove attribute. Tres Seaver used to be the GenericSetup maintainer and I have made the experience that he cares for bug reports.

10

dieter, gp54321 and espen, thank you so much for looking into this for me. I really appreciate it. I will see if I can file in a bug report so that we can do a clean uninstall where roles are concerned. Thank you so much!!! Cheers!