Tim Hicks wrote:
> Hi Rob,
> 
> Thanks for the quick reply...
> 
> Rob Miller wrote:
> 
>>> So, it seems that the member role change is only partially successful.
>>> getRolesForPrincipal knows about the change, but the getRoles method on
>>> the member does not.
>> are you sure that you've got the right plug-in?  the membrane roles
>> plugin doesn't yet implement IRoleAssignerPlugin.  while i agree that
>> going through acl_users _should_ work (and it eventually will), for now
>> you're probably better off explicitly setting the roles field on the
>> member object.
> 
> Would just using member.setRoles be sufficient to have Zope's security
> mechanism recognise the role, or do I need to do something else as well?

no, setRoles is sufficient.  the roles plugin retrieves the roles from the 
member object.

> From the point of view of future-proofing my code, is there any down
> side to keeping the code I already have - i.e. the call to the
> IRoleAssignerPlugin (whichever it is) - and supplementing this with a
> call to member.setRoles?

i wouldn't.  it's not clear to me what is happening currently.  from a pdb 
session you should examine the roles plugins that you get back from 
acl_users... i suspect that you're getting other role plugins, not the 
membrane ones at all.  i don't know what the side effects are of setting roles 
for a user on the wrong plugin.

-r