remove custom roles from rolemap.xml

[paregorios]

We would like our site-wide "publishers" to be able not only to "publish" items that have been submitted for review, but also to check in working copies as part of the publication workflow. We have given a user the "reviewer" role via @@usergroup-userprefs and that user can publish submitted content anywhere, but they are not given "check in" as an option on the "actions" menu even when they are looking at submitted working copies.

[paregorios]

I also wonder if there's a quick clarification answer to this question too... @alecpm @skleinfeldt

[skleinfeldt]

Again this sounds to me like a flaw in the custom WF code, but I am not so familiar with what that looks like with working copies enabled.

Can you clarify if this is new behavior since the recent theme deployment? I thought we made these WF changes a while ago (a story leading up to the 4.3 upgrade), and did not change them again recently?

[paregorios]

We would not have noticed this problem on the previous production because many of our users (including the director, who is now in question) were given the following roles globally via @@usergroup-userprefs:

• contributor
• editor
• member
• personnel manager
• reader
• reviewer
• manager (I think)

We've pulled these all back now and are trying to manage things mostly with "groups" and "sharing" tab. I don't even know where to look to see what the mappings are between the roles above and permissions etc. I also don't know whether these roles are stock plone or if they've come forward from some crazy legacy customization we had.

Please advise.

[paregorios]

I've done some poking around and guess that a piece of what I didn't understand is to be found in the rolemaps.xml file in the isaw.policy product. I've compared what's there with what's said about "Standard Permissions and Roles" in the Plone docs and answered my own question: we are not standard. Evidently someone else in the history of that file thought so too. I can only assume that that is legacy to our setup. I wonder why we never addressed it.

I'll be trying to understand the permission-to-role mappings vis-a-vis the things I've been opening tickets about. It would be great to have some guidance.

[alecpm]

All the listed roles are standard, except for Personnel Manager which may be an artifact of an earlier FacultyStaffDirectory install (it's not mentioned in isaw.facultycv or other custom addons). There should also be a "Site Administrator" role, which is like Manager but without access to the ZMI and a few other things they might accidentally shoot themselves in the foot with.

The comment I left in rolemap.xml is in reference to how strange it is that the Editor role is being granted access to the ZMI. There may have been some legitimate reason for that at some point (perhaps some add-on that inappropriately restricted its use to ZMI users), but it's not easy to know why it was added or if it was perhaps just an accident when managing permissions in the ZMI eons ago.

[skleinfeldt]

Should it be a goal to get rid of rolemap.xml in the policy product and just use standard Plone roles? That would be less confusing for everyone and less high maintenance going forward I would think.

[paregorios]

I can't answer Sally's question as I don't understand the implications or outcomes. I had had the expectation back last fall that we would get rid of all legacy customizations and move to plone defaults, then address the workflow needs we specified. It seems now that that initial step of getting rid of the old customizations wasn't quite what we did, the global permissions settings which we chose to leave in place prevented us from seeing any of the kinds of problems we're seeing now. That's all fine, so I'm trying to get details on where the problems are occurring...

But, I have done more testing, yet cannot seem to get consistent results where I can describe what the problems are and point you to specific content items. Our users' reports are insufficiently detailed to provide troubleshooting and I can't reproduce them with test users. But I have other problems with test users, but not consistently across the site. I will try to follow up with details.

NB: the testing I'm describing is also aimed at getting our hands around what's going on not only with this issue but also with #42 and #45

[alecpm]

The rolemap.xml incorporates all the TTW changes that were made on the site prior to Jazkarta's involvement along with a few newer permission changes. We didn't change global permissions from what was already in place except where specifically requested. At this point, the file is mostly specific global permission changes that have been requested in the past, and it is likely that more will need to be made, so we need to keep the custom rolemap.

It's likely that those two custom roles aren't being used, since I believe they are remnants of an old FSD installation, and they can probably be safely removed. We can probably also reset the permissions for "View management screens", and see if there's suddenly something Editors can't do that they could before. I don't believe that any of the customizations there are the source of any current problems though, they are all pretty benign and most of them were made to solve specific problems.

[paregorios]

I would like to request some interactive help time on this as early in the coming week as can be managed. I've spent several hours this weekend trying to set up examples on staging, but I'm beset by a combination of lack of understanding and by differences in behavior between production and staging. I'm currently blocked on staging by the fact that some local plone users (i.e., not tied to netid) don't retain their logged in status on staging, but they do on production.

[skleinfeldt]

Would a 1:00 eastern/noon central time today work for you for a meeting @paregorios and @k2soule ?

[paregorios]

The check-in aspect of this ticket is now subsumed into and superseded by nos. #48 and #49.

I am retitling this ticket to reflect the issue that remains: removing the old and presumed derelict custom roles from rolemap.xml as suggested by @alecpm, above.

[alecpm]

These changes (removing the Personnel Manager Role, and disallowing Editors access to the ZMI) have been made TTW and in the policy profile.

[paregorios]

@alecpm can you point me to the associated commit or branch for testing?

[alecpm]

https://github.com/isawnyu/isaw.web/commit/cc46c52e566addee9746e8b1552321010efba8e1 and much earlier: https://github.com/isawnyu/isaw.web/commit/a3b964d6a116bb663f959129eaaba015910fb21a

There's no migration step, as I applied the role changes manually to staging and production.