Forum OpenACS Development: Re: Howto: Expand and Use acs-subsite Based Member Roles

Posted by Juanjo Ruiz on
Yes, sorry, bad copy-paste, It would have been:

(permission::grant -party_id $comp_seg \
                -object_id $package_id -privilege read)

I am going to be more especific.

I have a Project subsite, only members of the companies which belongs to the 'project_company' (and more) segments can access the site. It is no more than a acs-subsite with edit-this-page. An I want to create three different roles, not by user(members) but by groups(companies).

First I create the three rel_types like this one:

  acs_rel_type.create_type (
    rel_type => 'project_manager',
    pretty_name => 'Project Manager',
    pretty_plural => 'Project Managers',
    supertype => 'composition_rel',
    object_type_one => 'application_group',
    role_one => 'project',
    table_name => 'PROJECT',
    id_column => 'project_id',
    package_name => 'project_managers',
    min_n_rels_one => 1, max_n_rels_one => null,
    object_type_two => 'group',
    min_n_rels_two => 1, max_n_rels_two => 1

Then I create this rel_segments:

        # Create and grant: Project Companies
        set comp_seg [rel_segments_new $app_grp \
                project_company "$instance_name Companies"]
        permission::grant -party_id $comp_seg \
                -object_id $package_id -privilege read

        # Create and grant: Project Manager
        set m_seg [rel_segments_new $app_grp \
                project_manager "$instance_name Manager"]
        permission::grant -party_id $m_seg \
                -object_id $package_id -privilege admin

        # Create and grant: Project Client
        set cli_seg [rel_segments_new $app_grp \
                project_client "$instance_name Clients"]
        permission::grant -party_id $cli_seg \
                -object_id $package_id -privilege admin

What I guest I've done until here is to create three Group/Company roles and assigned permissions to each role.

I only need to add Groups/Companies to each Role. Then I create a new object (in this case is a new 'company' which is a subtype of 'group') and following the proccess explained in this topic I do:

set rel_id [relation_add -member_state "approved" project_company $app_grp $company_id]

Then I can add contacts to this company:

set contact_id [ad_user_new $email $name $surname $password "" "" "" "t" "approved"]
set rel_id [relation_add -member_state "approved" membership_rel $company_id $contact_id]

So far so good. But the new user cannot access to the project subsite. And if I see the code that's quite understandable. I've added the company to the subsite's application group, not to the comp_seg rel_segment. Maybe the '-member_state approved' makes some magic glue... but when I look at 'package_instantiate_object'  I get lost.

If I see the permissions of the user_id (select * from acs_permissions where grantee_id = 26226), only has read and write for itself.
If I see the group_member_index of the user_id, he belongs to -2,-1,company_id,application_group_id.

If I see the permissions on the package_id there are read, admin, admin for the three rel_segments.

That's why I wanted to do a composition_rel between the company and the rel_segment. But the system do not allow to me to do that. Must I create one rel_segment per company?