Plone DCWorklfow Script context.manage_setLocalRoles

Dear Plone community.

We are developing an Intranet solution based on Plone 5.2 for a mid-size organisation which ist hierachically organised.

As the organisation is structured hierachically, every department in the organisation can publish documents in its own department only, or down to a specific level.

We try to solve the requirement with setting local roles during a workflow transition. This is because there are about 500 departments in the organisation and we want to avoid bloating up the workflow definition with transitions and states for every needed role to group assignment that is needed.

We have a restricted python script which is called after the transition, and which unfortunately raises an unauthorizied exception with is caused by the script. The script has the following statements:

state_change.object.manage_setLocalRoles('GRUPPE_A1_B2', ('Reader',))

We have set the manager and site-admin proxy-role on the script, but it still gives a permission error when executing the script after the transition.

Setting the local role manually does give the required permissons needed to the groups. We just want to connect this step to a workflow transition.

Any help appreciated, thank you very much.

define a browserview that does the local roles setting & reindex and call it from the script (or directly).

Did you try to change the local roles with a python script (create one in portal_skin/custom) to check if the problem is not related to workflow context?

I think yurj is suggesting something like:


Thank you for the advice.

What does "reindex" mean ? Which steps do i need to make changes in the local role settings permanent and available in all places of memory plone/zope uses the local role settings in ?

Does it mean reindex the portal catalog ?

I mean this step, maybe It need to stay in the browser view too.

Ah, that we have in our script. object.reindexObjectSecurity()

We have got it working. But what made it working is now unknown ... something we have changed apparently ... investigating further.

This is the tip we needed.

We have to clear the acquireLocalRoles-setting on newly created documents, too, and tried do this with a transition-script, too, but didn't work. Calling a view from the script is the general solution for this kind of problems, i think.

Thank you very much !

1 Like



does not call the view when used in the transition-change script . The view works, when i call it with @@myview on the url of the object in the browser. Any ideas ?

We are able to call the view from the script. With simple print-statements in it, it works.

When doing things like

objekt.manage_setLocalRoles(gruppenname, ('Reader',))`

in the script, we get a traceback with:

aborting transaction due to no CSRF protection on url http:....

How do i call a browserview directly in a workflow transition ?

normally i call a view in this way:


We need the object to set the local roles on, so the view would miss this if called on the portal.

I think obj.restrictedTraverse("@@your-view") should also work.

You can implement a method in your view which can receive an argument, an object.

The restrictedTraverse method will not automatically call your view, only instantiate it. It will not call its __call__.

Inside the transition script i called the view on the object, like so:


so i have the object available as self.context in the view.

So how do i "call" the call function of the view, or my own defined function ?


In the transition script the second of the following statements raises an unauthorized exception:

from plone import api
portal = api.portal.get()

although the scripts manager proxy role is set. In which kind of script do you use the suggested restrictedTraverse statement ?



Maybe you cannot use plone.api directly in python scripts.

I get an 'insufficient privileges' site back with no stacktrace/exception showing in the 'instance fg' terminal output when trying your suggested statement in a Python-script connected to the state-transition.

In which version of Plone did you successful execute your suggestion ?

Sorry for the delay, we managed to solve the issue otherwise, but now it arises again.

To get tracebacks on Unauthorized exception, you have to remove it from the "Ignored exception types" in the @@error-log-form controlpanel (Site Setup -> Security -> Errors)