Plone: How do I assign roles to users predicated on group membership?

Question

Using plone 4.

I last used plone 5 years ago, am rusty with python and generally do not consider myself a developer these days. I am just wondering if what I am trying to do is:

1. Possible without coding.
2. If not, what are the resources I need to read up on, before I get somewhere.

Statement of the problem:

I am developing a plone site for a medium sized academic organization (it does not have its own IT department and is generally unaware of CMS'es). The organization has one overall leader. The organization is divided into 5 groups consisting of various users. Each of these 5 groups has a group leader. The plone site has internal and external publication workflow (it came as an add-on, I think).

I have created 5 groups (Group1-5) on my plone site to reflect this structure. I have also created a group called GroupLeaders that contains the 5 leaders of the 5 groups. Each user has a personal folder. Further, each group has a group folder. There is also an overall organization folder.

Read (r) / write (w) / internal publication (ip) / external publication (ep) permissions:

User folder : user (r w ip ep) Group folder : user (r w), group leader (r w ip ep) Organization folder : user (r w), group leader (r w ip), organization leader (r w ip ep).

Further, group leaders are also nominal members of their groups. Finally, the organization leader belongs to one of the 5 groups. The organization leader and group leader are never the same person.

The identities of group leaders and organization leader change after a fixed period of 2 years. Upon losing their leader status, the users become simple members of that group (users).

I am trying to implement the following workflow:

Users in any of the groups can create documents (of any kind) in their personal folder (which is published externally immediately). All documents created by a user in a Group folder have to be approved for internal / external publication by the concerned group leader. However, mere membership in GroupLeaders is not enough. Only the GroupLeader of group 2 (say) should be able to approve / deny edits made by a member of group 2. So, I need something like (meta code):

If (member belongsto GroupLeader && member belongsto Group 2) assign approval workflow to member end

How do I do this?

Answer 1

After following Martijn's answer, add the following as a 'Script before' to the transistions 'publish_internally' and 'publish_externally':

pu=context.plone_utils

current_user_group_memberships = pu.portal_membership.getAuthenticatedMember().getGroups()
groups_with_locally_assigned_write_permission = []

# Get all local role-assignments of object:
local_roles=context.acl_users.getLocalRolesForDisplay(context)
inherited_local_roles=pu.getInheritedLocalRoles(context)
all_local_roles = local_roles + inherited_local_roles

# Of these assignments, collect groups with write-permissions:
for role in all_local_roles:
    if role[2] is 'group' and 'Contributor' in role[1] or 'Editor' in role[1]:
        groupname = role[0]
        if groupname not in groups_with_locally_assigned_write_permission:
            groups_with_locally_assigned_write_permission.append(groupname)

# Now, we compare, if the user is a member of one of these groups:
for group in groups_with_locally_assigned_write_permission:

    # Is member of an assigned group:
    if group in current_user_group_memberships:
        return True

    # Not groupmember, but in orgafolder should be able to publish internally:
    #elif [CONTEXT_IS_ORGAFOLDER] and transition=='publish_internally':
    #    return True

    # Neither of conditions applied, continue for-loop:
    else:
        pass

# For-loop ended and didn't bring good news:
return False

You still have to find a way though, to identify, if the context is an organizationfolder and insert it to the placeholder [CONTEXT_IS_ORGAFOLDER].

I would like to mention, that zopyx.plone.cassandra was a big help to understand the storage of permissions.

Answer 2

You can assign roles to groups directly, both globally and in a given context.

Simply design your workflow around roles, not groups. Through group membership, users will have the correct roles in the correct context.

So, in the group folder, assign the editor role to the corresponding Group group, and the reviewer role to the appropriate GroupLeader group. When the group leader is removed from the GroupLeader group, and another user added to that group, roles automatically follow.