Users explicitly getting group roles in classic, bug?

Esoth · February 16, 2024, 6:54pm

Add user1 to group Reviewers. user1 implicitly has the Reviewer role, but looking at acl_users he doesn't have that role explicitly. If you remove user1 from group Reviewers at this point, user1 will no longer have the Reviewer role.

Let's say instead you go to @@usergroup-userprefs and hit Save. user1 now has the Reviewer role explicitly, and you can see this in acl_users. If you remove user1 from the Reviewers group, it doesn't matter - he still has the Reviewer role. You will need to also uncheck that role from the user in the users overview page.

This seems like a bug yes? If the "inherit" icon is present on a role when I hit save, that role should not be explicitly assigned.

wesleybl · February 16, 2024, 9:32pm

Yes this is a bug. And I think this happens in Volto too.

Esoth · March 4, 2024, 6:02pm

I think the issue is here Products.CMFPlone/Products/CMFPlone/controlpanel/browser/usergroups_usersoverview.pt at master · plone/Products.CMFPlone · GitHub It's being passed in as a hidden variable, so the form handler assigns it explicitly. Does this need to be here at all?

You could also change the condition to "python:inherit and explicit". That would make it so that if you explicitly set a Role before adding a user to a group that also has that Role, when they are removed from that group they will still have their explicit assignment of that Role. I think there's an argument that we should not do this though, because there is no way to convey to an admin that they also explicitly have that role, nor can they change it without removing the group.

This is the original blame: Fixed Forbidden error in users and groups overview. · plone/Products.CMFPlone@ce97ab9 · GitHub. And issue Site Administrator can not reset any user's password in @@usergroup-userprefs if there is a member of Administrators group · Issue #1293 · plone/Products.CMFPlone · GitHub. Basically, the intent is that non-Managers should not be able to remove the Manager role through this form. I think the check here is fault though, it should be a bit more nuanced.

Esoth · March 4, 2024, 6:27pm

This is hacky but you could do
tal:condition="python:inherited and portal_role=='Manager'"
So it only passes on that specific role, to satisfy this check. I think ideally you would want to do something like changing this check Products.CMFPlone/Products/CMFPlone/controlpanel/browser/usergroups_usersoverview.py at fdbaca8f59f1e70db45a5efa902242c54d142841 · plone/Products.CMFPlone · GitHub to check just against the explicit roles and not inherited ones. I'm not sure there's an easy way to do that.