Document Actions
3.2.6.
Roles plugin
Up one level
The IRolesPlugin plugins determine the global roles for a principal. Like the other interfaces the IRolesPlugin interface contains only a single method:
def getRolesForPrincipal( principal, request=None ):
""" principal -> ( role_1, ... role_N )
o Return a sequence of role names which the principal has.
o May assign roles based on values in the REQUEST object, if present.
"""
Here is a simple example:
def getRolesForPrincipal(self, principal, request=None):
# Only act on the current user
if getSecurityManager().getUser().getId()!=principal:
return ()
# Only act if the request originates from the local host
if request is not None:
ip=request.get("HTTP_X_FORWARDED_FOR", request.get("REMOTE_ADDR", ""))
if ip!="127.0.0.1":
return ()
return ("Manager",)
This gives the current user in Manager role if the site is being accessed from the Zope server itself.
by
Wichert Akkerman
—
last modified
April 2, 2007 - 08:02
All content is copyright Plone Foundation and the individual contributors.
Re: remove roles with a roles plugin
Posted by
Wichert Akkerman
at
July 15, 2008 - 07:00
No, as the interface clearly states a roles plugin can only add roles, If you want to prevent roles from being added you will need to customize the role plugin that sets them.
Re: remove roles with a roles plugin
Posted by
unset
at
July 16, 2008 - 19:23
Thanks for the reply. If you have multiple roles plugins (portal_role_manager, local_roles, an LDAP plugin, etc.), you'd have to customize them all. That doesn't sound modular to me. If you could chain them, each having an opportunity to modify the set of roles (either add or subtract), then you could write a single plugin that could modify the results of any other. I guess this would be a major shift in the PAS architecture.
remove roles with a roles plugin