Folks, in both Plone 4.x and 5.x, there is an odd assortment of some permissions defined in two different places:
- The
rolemap.xml
file (setup profile, as a template for a new site). - In scattered ZCML, e.g. this one in plone.app.controlpanel.
There are places where these are not in agreement (or at least, assuming acquisition is checked, the persistent rolemap is deferential to AccessControl.Permission.ApplicationDefaultPermissions, which is the place permission-to-role-mapping state configured in ZCML is kept).
Is there some plan to harmonize a single place of truth for default application permissions shipped in OOTB Plone? Should there be? Or can we make this at least more clear in documentation?
Thoughts?
Sean