Forum OpenACS Development: Re: Howto: Expand and Use acs-subsite Based Member Roles
(permission::grant -party_id $comp_seg \
-object_id $package_id -privilege read)
I am going to be more especific.
I have a Project subsite, only members of the companies which belongs to the 'project_company' (and more) segments can access the site. It is no more than a acs-subsite with edit-this-page. An I want to create three different roles, not by user(members) but by groups(companies).
First I create the three rel_types like this one:
acs_rel_type.create_type (
rel_type => 'project_manager',
pretty_name => 'Project Manager',
pretty_plural => 'Project Managers',
supertype => 'composition_rel',
object_type_one => 'application_group',
role_one => 'project',
table_name => 'PROJECT',
id_column => 'project_id',
package_name => 'project_managers',
min_n_rels_one => 1, max_n_rels_one => null,
object_type_two => 'group',
min_n_rels_two => 1, max_n_rels_two => 1
);
Then I create this rel_segments:
# Create and grant: Project Companies
set comp_seg [rel_segments_new $app_grp \
project_company "$instance_name Companies"]
permission::grant -party_id $comp_seg \
-object_id $package_id -privilege read
# Create and grant: Project Manager
set m_seg [rel_segments_new $app_grp \
project_manager "$instance_name Manager"]
permission::grant -party_id $m_seg \
-object_id $package_id -privilege admin
# Create and grant: Project Client
set cli_seg [rel_segments_new $app_grp \
project_client "$instance_name Clients"]
permission::grant -party_id $cli_seg \
-object_id $package_id -privilege admin
What I guest I've done until here is to create three Group/Company roles and assigned permissions to each role.
I only need to add Groups/Companies to each Role. Then I create a new object (in this case is a new 'company' which is a subtype of 'group') and following the proccess explained in this topic I do:
set rel_id [relation_add -member_state "approved" project_company $app_grp $company_id]
Then I can add contacts to this company:
set contact_id [ad_user_new $email $name $surname $password "" "" "" "t" "approved"]
set rel_id [relation_add -member_state "approved" membership_rel $company_id $contact_id]
So far so good. But the new user cannot access to the project subsite. And if I see the code that's quite understandable. I've added the company to the subsite's application group, not to the comp_seg rel_segment. Maybe the '-member_state approved' makes some magic glue... but when I look at 'package_instantiate_object' I get lost.
If I see the permissions of the user_id (select * from acs_permissions where grantee_id = 26226), only has read and write for itself.
If I see the group_member_index of the user_id, he belongs to -2,-1,company_id,application_group_id.
If I see the permissions on the package_id there are read, admin, admin for the three rel_segments.
That's why I wanted to do a composition_rel between the company and the rel_segment. But the system do not allow to me to do that. Must I create one rel_segment per company?