Permission role mapping in ZCML vs setup profile (in core)

Folks, in both Plone 4.x and 5.x, there is an odd assortment of some permissions defined in two different places:

  • The rolemap.xml file (setup profile, as a template for a new site).
  • In scattered ZCML, e.g. this one in

There are places where these are not in agreement (or at least, assuming acquisition is checked, the persistent rolemap is deferential to AccessControl.Permission.ApplicationDefaultPermissions, which is the place permission-to-role-mapping state configured in ZCML is kept).

Is there some plan to harmonize a single place of truth for default application permissions shipped in OOTB Plone? Should there be? Or can we make this at least more clear in documentation?



1 Like