Permissions in Plone

rbrown12 · March 10, 2022, 4:51pm

Good morning, Plone Community!

I am in the process of preparing the permissions for a Plone addon I made in dexterity. In addition, it is an addon to upgrade from Archetypes version to a new Dexterity version. However, I am unable to get the view to display when logged in as a user with limited permissions and access. Everything loads fine in the Dexterity version. However, when loading with the Archetypes version I get an error saying that the permissions given are not sufficient. I checked the permissions, role map, and workflow assigned for this addon yet I am still unsure as to why it is not displaying properly.

Below is a snippet of the role map:

<permission name="yc.facultycv: Add Faculty" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="yc.facultycv: Add Pbaction" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="PBdeptChair"/>
    </permission>
    <permission name="yc.facultycv: Add Pbactionclt" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="yc.facultycv: Add Pbactionleave" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="yc.facultycv: Add Pbactionportfolio" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="yc.facultycv: Add Pbactionportfolioa" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="yc.facultycv: Add Pbactionportfoliob" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="yc.facultycv: Add Pbactionportfolioc" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="yc.facultycv: Add Pbactionscholar" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="yc.facultycv: Add Staff" acquire="False">
      <role name="Manager"/>
      <role name="Owner"/>
    </permission>
    <permission name="yc.facultycv: Add SymposiumTalk" acquire="False">
      <role name="Contributor"/>
      <role name="Manager"/>
      <role name="Owner"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="yc.facultycv: Do College Vote" acquire="False">
      <role name="Manager"/>
      <role name="PBcollege"/>
      <role name="PBhead"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="yc.facultycv: Do Department Vote" acquire="False">
      <role name="Manager"/>
      <role name="PBdept"/>
      <role name="PBdeptChair"/>
      <role name="PBhead"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="yc.facultycv: Edit Appeal" acquire="False">
      <role name="Manager"/>
      <role name="PBhead"/>
    </permission>
    <permission name="yc.facultycv: Edit PB College Chair" acquire="False">
      <role name="Manager"/>
      <role name="PBhead"/>
    </permission>
    <permission name="yc.facultycv: Edit PB Dept Chair" acquire="False">
      <role name="Manager"/>
      <role name="PBhead"/>
    </permission>
    <permission name="yc.facultycv: Edit PB Memo" acquire="False">
      <role name="Manager"/>
      <role name="PBdeptChair"/>
      <role name="PBhead"/>
    </permission>
    <permission name="yc.facultycv: Show View" acquire="False">
      <role name="Manager"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="yc.facultycv: View Appeal" acquire="False">
      <role name="Manager"/>
      <role name="PBhead"/>
    </permission>
    <permission name="yc.facultycv: View College Vote" acquire="False">
      <role name="Manager"/>
      <role name="PBcollege"/>
      <role name="PBhead"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="yc.facultycv: View Department Vote" acquire="False">
      <role name="Manager"/>
      <role name="PBdept"/>
      <role name="PBdeptChair"/>
      <role name="PBhead"/>
      <role name="Site Administrator"/>
    </permission>
    <permission name="yc.facultycv: View PB College Committees" acquire="False">
      <role name="Manager"/>
      <role name="PBdeptChair"/>
      <role name="PBhead"/>
    </permission>
    <permission name="yc.facultycv: View PB Dept Committees" acquire="False">
      <role name="Manager"/>
      <role name="PBdeptChair"/>
      <role name="PBhead"/>
    </permission>

What else do I need to try to address the problem?

I thank you kindly.

Sincerely,

rbrown12

dieter · March 10, 2022, 5:11pm

rbrown12 via Plone Community wrote at 2022-3-10 17:01 +0000:

...
I am in the process of preparing the permissions for a Plone addon I made in dexterity. In addition, it is an addon to upgrade from Archetypes version to a new Dexterity version. However, I am unable to get the view to display when logged in as a user with limited permissions and access. Everything loads fine in the Dexterity version. However, when loading with the Archetypes version I get an error saying that the permissions given are not sufficient. I checked the permissions, role map, and workflow assigned for this addon yet I am still unsure as to why it is not displaying properly.

Whenever you have a permission problem it is a good idea to
activate verbose-security: this will make permission related
messages much more informative (but induces an overhead for permission
checking).

rbrown12 · March 10, 2022, 6:41pm

I have verbose-security turned on in my instance now. This is what is displayed in the console:

2022-03-10 13:40:39 INFO plone.app.blocks Do not have permission for tile plone.app.standardtiles.lockinfo on context acl_users/credentials_cookie_auth

rbrown12 · March 10, 2022, 6:42pm

By the way, thank you for responding!

dieter · March 10, 2022, 7:53pm

rbrown12 via Plone Community wrote at 2022-3-10 18:51 +0000:

I have verbose-security turned on in my instance now. This is what is displayed in the console:
2022-03-10 13:40:39 INFO plone.app.blocks Do not have permission for tile plone.app.standardtiles.lockinfo on context acl_users/credentials_cookie_auth

This does not (yet) look like a verbose message (that would tell
(at least) which permission is required).
Are you aware that you must also set
"security-policy-implementation" to PYTHON to make verbose security
effective?

The log entry indicates that the message was not generated
by Zope's security system (i.e. AccessControl) but
by plone.app.blocks. You could try to locate the respective
source code and add additional information to the log entry.
You could look at the implementation of "verbose-security" (in AccessControl)
to learn how this additional information can be determined.

Verbose security messages have (approximately) the form:
"you do not have permission PPPP to access OOOO;
you are authenticated as UUUU by the user folder at PPPP and have the roles
RRRR, RRRR, RRRR; required is one of the roles RRRR, RRRR, RRRR".