Rolemap importer offers no way to append roles into existing permissions #8
Description
In https://bugs.launchpad.net/zope-cmf/+bug/1227290, @seanupton reported:
If a GenericSetup base profile defines a set of roles for a permission in its rolemap.xml, it is impossible to supplement (append) roles to that permission from an extension profile. Rather, the extension profile rolemap.xml must include duplicative (all) roles (for each permission) listed in upstream base profile and cannot merely supplement.
I have verified the outcome of this looking at manage_access in a Plone site, and by reviewing the code.
AccessControl.rolemanager.RoleManager.manage_permission() is passed only what is explicitly in the rolemap.xml for an extension profile by Products.GenericSetup.rolemap.importRolemap(). Permission.setRoles() does a setattr() replacement of the roles tuple/list in each permission. The consequence of this is that it is impossible to merge/supplement/append roles.
The work-around is to copylift and duplicate all roles listed in upstream package profiles.
Note: ac_roles is fine, is supplemented correctly. This is a per-permission mapping issue.
Versions: Zope: 2.13.21, Products.GenericSetup 1.7.4, Products.CMFCore 2.2.7 on Python 2.7.3