Deal with circular import problems and do some real deprecation

4257dbfe · Hanno Schlichting · d561f077 · 4257dbfe · 4257dbfe · 4257dbfe
Commit 4257dbfe authored Jun 19, 2010 by Hanno Schlichting
18 changed files
--- a/src/AccessControl/AccessControl.txt
+++ b/src/AccessControl/AccessControl.txt
@@ -165,10 +165,8 @@ Mail Host
  o Change configuration


-
-
 To support the architecture, developers must derive an
-object from the AccessControl.RoleManager mixin class,
+object from the AccessControl.rolemanager.BaseRoleManager mixin class,
 and define in their class an __ac_permissions__ attribute.

 This should be a tuple of tuples, where each tuple represents
@@ -191,8 +189,6 @@ Example:
    ('Delete properties',  ['manage_delProperties']),
    ('Default permission', ['']),
    )
-   
-

 The developer may also predefine useful types of access, by
 specifying an __ac_types__ attribute. This should be a tuple of 
@@ -214,8 +210,6 @@ Example:

    )

-
-
 Developers may also provide pre-defined role names that are
 not deletable via the interface by specifying an __ac_roles__
 attribute. This is probably not something we'll ever use under
@@ -224,29 +218,3 @@ the new architecture, but it's there if you need it.
 Example:

    __ac_roles__=('Manager', 'Anonymous')
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
--- a/src/AccessControl/Role.py
+++ b/src/AccessControl/Role.py
@@ -12,509 +12,23 @@
 ##############################################################################
 """Access control support
 """
-from cgi import escape

-from Acquisition import Acquired
-from Acquisition import aq_base
-from Acquisition import aq_get
-from ExtensionClass import Base
-from zope.interface import implements
-
-from AccessControl import ClassSecurityInfo
-from AccessControl.class_init import InitializeClass
-from AccessControl.interfaces import IRoleManager
-from AccessControl.Permission import getPermissions
-from AccessControl.Permission import Permission
-from AccessControl.PermissionMapping import RoleManager
-from AccessControl.Permissions import change_permissions
-from AccessControl.SecurityManagement import newSecurityManager
-
-DEFAULTMAXLISTUSERS = 250
-
-
-def _isBeingUsedAsAMethod(self):
-    return aq_get(self, '_isBeingUsedAsAMethod_', 0)
-
-
-def _isNotBeingUsedAsAMethod(self):
-    return not aq_get(self, '_isBeingUsedAsAMethod_', 0)
-
-
-class BaseRoleManager(Base, RoleManager):
-    """An object that has configurable permissions"""
-
-    implements(IRoleManager)
-    permissionMappingPossibleValues=Acquired
-    security = ClassSecurityInfo()
-
-    __ac_roles__ = ('Manager', 'Owner', 'Anonymous', 'Authenticated')
-    __ac_local_roles__ = None
-
-    security.declareProtected(change_permissions, 'ac_inherited_permissions')
-    def ac_inherited_permissions(self, all=0):
-        # Get all permissions not defined in ourself that are inherited
-        # This will be a sequence of tuples with a name as the first item and
-        # an empty tuple as the second.
-        d = {}
-        perms = self.__ac_permissions__
-        for p in perms:
-            d[p[0]] = None
-
-        r = gather_permissions(self.__class__, [], d)
-        if all:
-            if hasattr(self, '_subobject_permissions'):
-                for p in self._subobject_permissions():
-                    pname=p[0]
-                    if not pname in d:
-                        d[pname] = 1
-                        r.append(p)
-
-            r = list(perms) + r
-            r.sort()
-
-        return tuple(r)
-
-    security.declareProtected(change_permissions, 'permission_settings')
-    def permission_settings(self, permission=None):
-        """Return user-role permission settings.
-
-        If 'permission' is passed to the method then only the settings for
-        'permission' is returned.
-        """
-        result=[]
-        valid=self.valid_roles()
-        indexes=range(len(valid))
-        ip=0
-
-        permissions = self.ac_inherited_permissions(1)
-        # Filter permissions
-        if permission:
-            permissions = [p for p in permissions if p[0] == permission]
-
-        for p in permissions:
-            name, value = p[:2]
-            p=Permission(name, value, self)
-            roles = p.getRoles(default=[])
-            d={'name': name,
-               'acquire': isinstance(roles, list) and 'CHECKED' or '',
-               'roles': map(
-                   lambda ir, roles=roles, valid=valid, ip=ip:
-                   {
-                       'name': "p%dr%d" % (ip, ir),
-                       'checked': (valid[ir] in roles) and 'CHECKED' or '',
-                       },
-                   indexes)
-               }
-            ip = ip + 1
-            result.append(d)
-        return result
-
-    security.declareProtected(change_permissions, 'manage_role')
-    def manage_role(self, role_to_manage, permissions=[]):
-        """Change the permissions given to the given role.
-        """
-        for p in self.ac_inherited_permissions(1):
-            name, value = p[:2]
-            p=Permission(name, value, self)
-            p.setRole(role_to_manage, name in permissions)
-
-    security.declareProtected(change_permissions, 'manage_acquiredPermissions')
-    def manage_acquiredPermissions(self, permissions=[]):
-        """Change the permissions that acquire.
-        """
-        for p in self.ac_inherited_permissions(1):
-            name, value = p[:2]
-            p = Permission(name, value, self)
-            roles = p.getRoles()
-            if roles is None:
-                continue
-            if name in permissions:
-                p.setRoles(list(roles))
-            else:
-                p.setRoles(tuple(roles))
-
-    def manage_getUserRolesAndPermissions(self, user_id):
-        """ Used for permission/role reporting for a given user_id.
-            Returns a dict mapping
-
-            'user_defined_in' -> path where the user account is defined
-            'roles' -> global roles,
-            'roles_in_context' -> roles in context of the current object,
-            'allowed_permissions' -> permissions allowed for the user,
-            'disallowed_permissions' -> all other permissions
-        """
-        d = {}
-        current = self
-
-        while 1:
-            try:
-                uf = current.acl_users
-            except AttributeError:
-                raise ValueError('User %s could not be found' % user_id)
-
-            userObj = uf.getUser(user_id)
-            if userObj:
-                break
-            else:
-                current = current.__parent__
-
-        newSecurityManager(None, userObj) # necessary?
-        userObj = userObj.__of__(uf)
-
-        d = {'user_defined_in': '/' + uf.absolute_url(1)}
-
-        # roles
-        roles = list(userObj.getRoles())
-        roles.sort()
-        d['roles'] = roles
-
-        # roles in context
-        roles = list(userObj.getRolesInContext(self))
-        roles.sort()
-        d['roles_in_context'] = roles
-
-        # permissions
-        allowed = []
-        disallowed = []
-        permMap = self.manage_getPermissionMapping()
-        for item in permMap:
-            p = item['permission_name']
-            if userObj.has_permission(p, self):
-                allowed.append(p)
-            else:
-                disallowed.append(p)
-
-        d['allowed_permissions'] = allowed
-        d['disallowed_permissions'] = disallowed
-
-        return d
-
-    security.declareProtected(change_permissions, 'manage_permission')
-    def manage_permission(self, permission_to_manage, roles=[], acquire=0):
-        """Change the settings for the given permission.
-
-        If optional arg acquire is true, then the roles for the permission
-        are acquired, in addition to the ones specified, otherwise the
-        permissions are restricted to only the designated roles.
-        """
-        for p in self.ac_inherited_permissions(1):
-            name, value = p[:2]
-            if name == permission_to_manage:
-                p = Permission(name, value, self)
-                if acquire:
-                    roles=list(roles)
-                else:
-                    roles=tuple(roles)
-                p.setRoles(roles)
-                return
-
-        raise ValueError(
-            "The permission <em>%s</em> is invalid." %
-                escape(permission_to_manage))
-
-    security.declareProtected(change_permissions, 'permissionsOfRole')
-    def permissionsOfRole(self, role):
-        """Returns a role to permission mapping.
-        """
-        r = []
-        for p in self.ac_inherited_permissions(1):
-            name, value = p[:2]
-            p = Permission(name, value, self)
-            roles = p.getRoles()
-            r.append({'name': name,
-                      'selected': role in roles and 'SELECTED' or '',
-                      })
-        return r
-
-    security.declareProtected(change_permissions, 'rolesOfPermission')
-    def rolesOfPermission(self, permission):
-        """Returns a permission to role mapping.
-        """
-        valid_roles = self.valid_roles()
-        for p in self.ac_inherited_permissions(1):
-            name, value = p[:2]
-            if name==permission:
-                p = Permission(name, value, self)
-                roles = p.getRoles()
-                return map(
-                    lambda role, roles=roles:
-                    {'name': role,
-                     'selected': role in roles and 'SELECTED' or '',
-                     },
-                    valid_roles)
-
-        raise ValueError(
-            "The permission <em>%s</em> is invalid." % escape(permission))
-
-    security.declareProtected(change_permissions, 'acquiredRolesAreUsedBy')
-    def acquiredRolesAreUsedBy(self, permission):
-        """
-        """
-        for p in self.ac_inherited_permissions(1):
-            name, value = p[:2]
-            if name==permission:
-                p=Permission(name, value, self)
-                roles = p.getRoles()
-                return isinstance(roles, list) and 'CHECKED' or ''
-
-        raise ValueError(
-            "The permission <em>%s</em> is invalid." % escape(permission))
-
-    # Local roles support
-    # -------------------
-    #
-    # Local roles allow a user to be given extra roles in the context
-    # of a particular object (and its children). When a user is given
-    # extra roles in a particular object, an entry for that user is made
-    # in the __ac_local_roles__ dict containing the extra roles.
-
-    def has_local_roles(self):
-        dict=self.__ac_local_roles__ or {}
-        return len(dict)
-
-    def get_local_roles(self):
-        dict=self.__ac_local_roles__ or {}
-        keys=dict.keys()
-        keys.sort()
-        info=[]
-        for key in keys:
-            value=tuple(dict[key])
-            info.append((key, value))
-        return tuple(info)
-
-    def users_with_local_role(self, role):
-        got = {}
-        for user, roles in self.get_local_roles():
-            if role in roles:
-                got[user] = 1
-        return got.keys()
-
-    def get_valid_userids(self):
-        item=self
-        dict={}
-        _notfound = []
-        while 1:
-            aclu = getattr(aq_base(item), '__allow_groups__', _notfound)
-            if aclu is not _notfound:
-                mlu = getattr(aclu, 'maxlistusers', _notfound)
-                if not isinstance(mlu, int):
-                    mlu = DEFAULTMAXLISTUSERS
-                if mlu < 0:
-                    raise OverflowError
-                un = getattr(aclu, 'user_names', _notfound)
-                if un is not _notfound:
-                    un = aclu.__of__(item).user_names # rewrap
-                    unl = un()
-                    # maxlistusers of 0 is list all
-                    if len(unl) > mlu and mlu != 0:
-                        raise OverflowError
-                    for name in unl:
-                        dict[name]=1
-            item = getattr(item, '__parent__', _notfound)
-            if item is _notfound:
-                break
-        keys=dict.keys()
-        keys.sort()
-        return tuple(keys)
-
-    def get_local_roles_for_userid(self, userid):
-        dict=self.__ac_local_roles__ or {}
-        return tuple(dict.get(userid, []))
-
-    security.declareProtected(change_permissions, 'manage_addLocalRoles')
-    def manage_addLocalRoles(self, userid, roles):
-        """Set local roles for a user."""
-        if not roles:
-            raise ValueError('One or more roles must be given!')
-        dict = self.__ac_local_roles__
-        if dict is None:
-            self.__ac_local_roles__ = dict = {}
-        local_roles = list(dict.get(userid, []))
-        for r in roles:
-            if r not in local_roles:
-                local_roles.append(r)
-        dict[userid] = local_roles
-        self._p_changed=True
-
-    security.declareProtected(change_permissions, 'manage_setLocalRoles')
-    def manage_setLocalRoles(self, userid, roles):
-        """Set local roles for a user."""
-        if not roles:
-            raise ValueError('One or more roles must be given!')
-        dict = self.__ac_local_roles__
-        if dict is None:
-            self.__ac_local_roles__ = dict = {}
-        dict[userid]=roles
-        self._p_changed = True
-
-    security.declareProtected(change_permissions, 'manage_delLocalRoles')
-    def manage_delLocalRoles(self, userids):
-        """Remove all local roles for a user."""
-        dict = self.__ac_local_roles__
-        if dict is None:
-            self.__ac_local_roles__ = dict = {}
-        for userid in userids:
-            if userid in dict:
-                del dict[userid]
-        self._p_changed=True
-
-    #------------------------------------------------------------
-
-    security.declarePrivate('access_debug_info')
-    def access_debug_info(self):
-        """Return debug info.
-        """
-        clas=class_attrs(self)
-        inst=instance_attrs(self)
-        data=[]
-        _add=data.append
-        for key, value in inst.items():
-            if key.find('__roles__') >= 0:
-                _add({'name': key, 'value': value, 'class': 0})
-            if hasattr(value, '__roles__'):
-                _add({'name': '%s.__roles__' % key, 'value': value.__roles__,
-                      'class': 0})
-        for key, value in clas.items():
-            if key.find('__roles__') >= 0:
-                _add({'name': key, 'value': value, 'class': 1})
-            if hasattr(value, '__roles__'):
-                _add({'name': '%s.__roles__' % key, 'value': value.__roles__,
-                      'class': 1})
-        return data
-
-    def valid_roles(self):
-        """Return list of valid roles.
-        """
-        obj=self
-        dict={}
-        dup =dict.has_key
-        x=0
-        while x < 100:
-            if hasattr(obj, '__ac_roles__'):
-                roles=obj.__ac_roles__
-                for role in roles:
-                    if not dup(role):
-                        dict[role]=1
-            if getattr(obj, '__parent__', None) is None:
-                break
-            obj=obj.__parent__
-            x=x+1
-        roles=dict.keys()
-        roles.sort()
-        return tuple(roles)
-
-    def validate_roles(self, roles):
-        """Return true if all given roles are valid.
-        """
-        valid=self.valid_roles()
-        for role in roles:
-            if role not in valid:
-                return 0
-        return 1
-
-    security.declareProtected(change_permissions, 'userdefined_roles')
-    def userdefined_roles(self):
-        """Return list of user-defined roles.
-        """
-        roles = list(self.__ac_roles__)
-        for role in classattr(self.__class__, '__ac_roles__'):
-            try:
-                roles.remove(role)
-            except:
-                pass
-        return tuple(roles)
-
-    def possible_permissions(self):
-        d = {}
-        permissions = getPermissions()
-        for p in permissions:
-            d[p[0]] = 1
-        for p in self.ac_inherited_permissions(1):
-            d[p[0]] = 1
-
-        d = d.keys()
-        d.sort()
-        return d
-
-InitializeClass(BaseRoleManager)
-
-
-def reqattr(request, attr):
-    try:
-        return request[attr]
-    except:
-        return None
-
-
-def classattr(cls, attr):
-    if hasattr(cls, attr):
-        return getattr(cls, attr)
-    try:
-        bases = cls.__bases__
-    except:
-        bases = ()
-    for base in bases:
-        if classattr(base, attr):
-            return attr
-    return None
-
-
-def instance_dict(inst):
-    try:
-        return inst.__dict__
-    except:
-        return {}
-
-
-def class_dict(_class):
-    try:
-        return _class.__dict__
-    except:
-        return {}
-
-
-def instance_attrs(inst):
-    return instance_dict(inst)
-
-
-def class_attrs(inst, _class=None, data=None):
-    if _class is None:
-        _class=inst.__class__
-        data={}
-
-    clas_dict=class_dict(_class)
-    inst_dict=instance_dict(inst)
-    inst_attr=inst_dict.has_key
-    for key, value in clas_dict.items():
-        if not inst_attr(key):
-            data[key]=value
-    for base in _class.__bases__:
-        data=class_attrs(inst, base, data)
-    return data
-
-
-def gather_permissions(klass, result, seen):
-    for base in klass.__bases__:
-        if '__ac_permissions__' in base.__dict__:
-            for p in base.__ac_permissions__:
-                name=p[0]
-                if name in seen:
-                    continue
-                result.append((name, ()))
-                seen[name] = None
-        gather_permissions(base, result, seen)
-    return result
-
-
-# BBB - this is a bit odd, but the class variable RoleManager.manage_options
-# is used by a lot of code and this isn't available on the deferredimport
-# wrapper
-try:
-    from OFS.role import RoleManager
-    RoleManager # pyflakes
-except ImportError:
-    from zope.deferredimport import deprecated
-    deprecated("RoleManager is no longer part of AccessControl, please "
-               "depend on Zope2 and import from OFS.role",
-        RoleManager = 'OFS.role:RoleManager',
-    )
+# BBB
+from .rolemanager import DEFAULTMAXLISTUSERS
+from .rolemanager import _isBeingUsedAsAMethod
+from .rolemanager import _isNotBeingUsedAsAMethod
+from .rolemanager import BaseRoleManager
+from .rolemanager import reqattr
+from .rolemanager import classattr
+from .rolemanager import instance_dict
+from .rolemanager import class_dict
+from .rolemanager import instance_attrs
+from .rolemanager import class_attrs
+from .rolemanager import gather_permissions
+
+from zope.deferredimport import deprecated
+deprecated("RoleManager is no longer part of AccessControl, please "
+           "depend on Zope2 and import from OFS.role or use the "
+           "BaseRoleManager class from AccessControl.rolemanager.",
+    RoleManager = 'OFS.role:RoleManager',
+)
--- a/src/AccessControl/User.py
+++ b/src/AccessControl/User.py
@@ -35,18 +35,20 @@ from App.Management import Navigation
 from App.Management import Tabs
 from App.special_dtml import DTMLFile
 from App.Dialogs import MessageDialog
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item

-import AuthEncoding
-import SpecialUsers
-from interfaces import IStandardUserFolder
-from requestmethod import requestmethod
-from PermissionRole import _what_not_even_god_should_do, rolesForPermissionOn
-from Role import RoleManager, DEFAULTMAXLISTUSERS
-from SecurityManagement import getSecurityManager
-from SecurityManagement import newSecurityManager
-from SecurityManagement import noSecurityManager
-from ZopeSecurityPolicy import _noroles
+from AccessControl import AuthEncoding
+from AccessControl import SpecialUsers
+from .interfaces import IStandardUserFolder
+from .requestmethod import requestmethod
+from .PermissionRole import _what_not_even_god_should_do
+from .PermissionRole import rolesForPermissionOn
+from .rolemanager import DEFAULTMAXLISTUSERS
+from .SecurityManagement import getSecurityManager
+from .SecurityManagement import newSecurityManager
+from .SecurityManagement import noSecurityManager
+from .ZopeSecurityPolicy import _noroles


 _marker=[]

--- a/src/AccessControl/rolemanager.py
+++ b/src/AccessControl/rolemanager.py
+##############################################################################
+#
+# Copyright (c) 2002 Zope Foundation and Contributors.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+#
+##############################################################################
+"""Access control support
+"""
+from cgi import escape
+
+from Acquisition import Acquired
+from Acquisition import aq_base
+from Acquisition import aq_get
+from ExtensionClass import Base
+from zope.interface import implements
+
+from AccessControl import ClassSecurityInfo
+from AccessControl.class_init import InitializeClass
+from AccessControl.interfaces import IRoleManager
+from AccessControl.Permission import getPermissions
+from AccessControl.Permission import Permission
+from AccessControl.PermissionMapping import RoleManager
+from AccessControl.Permissions import change_permissions
+from AccessControl.SecurityManagement import newSecurityManager
+
+DEFAULTMAXLISTUSERS = 250
+
+
+def _isBeingUsedAsAMethod(self):
+    return aq_get(self, '_isBeingUsedAsAMethod_', 0)
+
+
+def _isNotBeingUsedAsAMethod(self):
+    return not aq_get(self, '_isBeingUsedAsAMethod_', 0)
+
+
+class BaseRoleManager(Base, RoleManager):
+    """An object that has configurable permissions"""
+
+    implements(IRoleManager)
+    permissionMappingPossibleValues=Acquired
+    security = ClassSecurityInfo()
+
+    __ac_roles__ = ('Manager', 'Owner', 'Anonymous', 'Authenticated')
+    __ac_local_roles__ = None
+
+    security.declareProtected(change_permissions, 'ac_inherited_permissions')
+    def ac_inherited_permissions(self, all=0):
+        # Get all permissions not defined in ourself that are inherited
+        # This will be a sequence of tuples with a name as the first item and
+        # an empty tuple as the second.
+        d = {}
+        perms = self.__ac_permissions__
+        for p in perms:
+            d[p[0]] = None
+
+        r = gather_permissions(self.__class__, [], d)
+        if all:
+            if hasattr(self, '_subobject_permissions'):
+                for p in self._subobject_permissions():
+                    pname=p[0]
+                    if not pname in d:
+                        d[pname] = 1
+                        r.append(p)
+
+            r = list(perms) + r
+            r.sort()
+
+        return tuple(r)
+
+    security.declareProtected(change_permissions, 'permission_settings')
+    def permission_settings(self, permission=None):
+        """Return user-role permission settings.
+
+        If 'permission' is passed to the method then only the settings for
+        'permission' is returned.
+        """
+        result=[]
+        valid=self.valid_roles()
+        indexes=range(len(valid))
+        ip=0
+
+        permissions = self.ac_inherited_permissions(1)
+        # Filter permissions
+        if permission:
+            permissions = [p for p in permissions if p[0] == permission]
+
+        for p in permissions:
+            name, value = p[:2]
+            p=Permission(name, value, self)
+            roles = p.getRoles(default=[])
+            d={'name': name,
+               'acquire': isinstance(roles, list) and 'CHECKED' or '',
+               'roles': map(
+                   lambda ir, roles=roles, valid=valid, ip=ip:
+                   {
+                       'name': "p%dr%d" % (ip, ir),
+                       'checked': (valid[ir] in roles) and 'CHECKED' or '',
+                       },
+                   indexes)
+               }
+            ip = ip + 1
+            result.append(d)
+        return result
+
+    security.declareProtected(change_permissions, 'manage_role')
+    def manage_role(self, role_to_manage, permissions=[]):
+        """Change the permissions given to the given role.
+        """
+        for p in self.ac_inherited_permissions(1):
+            name, value = p[:2]
+            p=Permission(name, value, self)
+            p.setRole(role_to_manage, name in permissions)
+
+    security.declareProtected(change_permissions, 'manage_acquiredPermissions')
+    def manage_acquiredPermissions(self, permissions=[]):
+        """Change the permissions that acquire.
+        """
+        for p in self.ac_inherited_permissions(1):
+            name, value = p[:2]
+            p = Permission(name, value, self)
+            roles = p.getRoles()
+            if roles is None:
+                continue
+            if name in permissions:
+                p.setRoles(list(roles))
+            else:
+                p.setRoles(tuple(roles))
+
+    def manage_getUserRolesAndPermissions(self, user_id):
+        """ Used for permission/role reporting for a given user_id.
+            Returns a dict mapping
+
+            'user_defined_in' -> path where the user account is defined
+            'roles' -> global roles,
+            'roles_in_context' -> roles in context of the current object,
+            'allowed_permissions' -> permissions allowed for the user,
+            'disallowed_permissions' -> all other permissions
+        """
+        d = {}
+        current = self
+
+        while 1:
+            try:
+                uf = current.acl_users
+            except AttributeError:
+                raise ValueError('User %s could not be found' % user_id)
+
+            userObj = uf.getUser(user_id)
+            if userObj:
+                break
+            else:
+                current = current.__parent__
+
+        newSecurityManager(None, userObj) # necessary?
+        userObj = userObj.__of__(uf)
+
+        d = {'user_defined_in': '/' + uf.absolute_url(1)}
+
+        # roles
+        roles = list(userObj.getRoles())
+        roles.sort()
+        d['roles'] = roles
+
+        # roles in context
+        roles = list(userObj.getRolesInContext(self))
+        roles.sort()
+        d['roles_in_context'] = roles
+
+        # permissions
+        allowed = []
+        disallowed = []
+        permMap = self.manage_getPermissionMapping()
+        for item in permMap:
+            p = item['permission_name']
+            if userObj.has_permission(p, self):
+                allowed.append(p)
+            else:
+                disallowed.append(p)
+
+        d['allowed_permissions'] = allowed
+        d['disallowed_permissions'] = disallowed
+
+        return d
+
+    security.declareProtected(change_permissions, 'manage_permission')
+    def manage_permission(self, permission_to_manage, roles=[], acquire=0):
+        """Change the settings for the given permission.
+
+        If optional arg acquire is true, then the roles for the permission
+        are acquired, in addition to the ones specified, otherwise the
+        permissions are restricted to only the designated roles.
+        """
+        for p in self.ac_inherited_permissions(1):
+            name, value = p[:2]
+            if name == permission_to_manage:
+                p = Permission(name, value, self)
+                if acquire:
+                    roles=list(roles)
+                else:
+                    roles=tuple(roles)
+                p.setRoles(roles)
+                return
+
+        raise ValueError(
+            "The permission <em>%s</em> is invalid." %
+                escape(permission_to_manage))
+
+    security.declareProtected(change_permissions, 'permissionsOfRole')
+    def permissionsOfRole(self, role):
+        """Returns a role to permission mapping.
+        """
+        r = []
+        for p in self.ac_inherited_permissions(1):
+            name, value = p[:2]
+            p = Permission(name, value, self)
+            roles = p.getRoles()
+            r.append({'name': name,
+                      'selected': role in roles and 'SELECTED' or '',
+                      })
+        return r
+
+    security.declareProtected(change_permissions, 'rolesOfPermission')
+    def rolesOfPermission(self, permission):
+        """Returns a permission to role mapping.
+        """
+        valid_roles = self.valid_roles()
+        for p in self.ac_inherited_permissions(1):
+            name, value = p[:2]
+            if name==permission:
+                p = Permission(name, value, self)
+                roles = p.getRoles()
+                return map(
+                    lambda role, roles=roles:
+                    {'name': role,
+                     'selected': role in roles and 'SELECTED' or '',
+                     },
+                    valid_roles)
+
+        raise ValueError(
+            "The permission <em>%s</em> is invalid." % escape(permission))
+
+    security.declareProtected(change_permissions, 'acquiredRolesAreUsedBy')
+    def acquiredRolesAreUsedBy(self, permission):
+        """
+        """
+        for p in self.ac_inherited_permissions(1):
+            name, value = p[:2]
+            if name==permission:
+                p=Permission(name, value, self)
+                roles = p.getRoles()
+                return isinstance(roles, list) and 'CHECKED' or ''
+
+        raise ValueError(
+            "The permission <em>%s</em> is invalid." % escape(permission))
+
+    # Local roles support
+    # -------------------
+    #
+    # Local roles allow a user to be given extra roles in the context
+    # of a particular object (and its children). When a user is given
+    # extra roles in a particular object, an entry for that user is made
+    # in the __ac_local_roles__ dict containing the extra roles.
+
+    def has_local_roles(self):
+        dict=self.__ac_local_roles__ or {}
+        return len(dict)
+
+    def get_local_roles(self):
+        dict=self.__ac_local_roles__ or {}
+        keys=dict.keys()
+        keys.sort()
+        info=[]
+        for key in keys:
+            value=tuple(dict[key])
+            info.append((key, value))
+        return tuple(info)
+
+    def users_with_local_role(self, role):
+        got = {}
+        for user, roles in self.get_local_roles():
+            if role in roles:
+                got[user] = 1
+        return got.keys()
+
+    def get_valid_userids(self):
+        item=self
+        dict={}
+        _notfound = []
+        while 1:
+            aclu = getattr(aq_base(item), '__allow_groups__', _notfound)
+            if aclu is not _notfound:
+                mlu = getattr(aclu, 'maxlistusers', _notfound)
+                if not isinstance(mlu, int):
+                    mlu = DEFAULTMAXLISTUSERS
+                if mlu < 0:
+                    raise OverflowError
+                un = getattr(aclu, 'user_names', _notfound)
+                if un is not _notfound:
+                    un = aclu.__of__(item).user_names # rewrap
+                    unl = un()
+                    # maxlistusers of 0 is list all
+                    if len(unl) > mlu and mlu != 0:
+                        raise OverflowError
+                    for name in unl:
+                        dict[name]=1
+            item = getattr(item, '__parent__', _notfound)
+            if item is _notfound:
+                break
+        keys=dict.keys()
+        keys.sort()
+        return tuple(keys)
+
+    def get_local_roles_for_userid(self, userid):
+        dict=self.__ac_local_roles__ or {}
+        return tuple(dict.get(userid, []))
+
+    security.declareProtected(change_permissions, 'manage_addLocalRoles')
+    def manage_addLocalRoles(self, userid, roles):
+        """Set local roles for a user."""
+        if not roles:
+            raise ValueError('One or more roles must be given!')
+        dict = self.__ac_local_roles__
+        if dict is None:
+            self.__ac_local_roles__ = dict = {}
+        local_roles = list(dict.get(userid, []))
+        for r in roles:
+            if r not in local_roles:
+                local_roles.append(r)
+        dict[userid] = local_roles
+        self._p_changed=True
+
+    security.declareProtected(change_permissions, 'manage_setLocalRoles')
+    def manage_setLocalRoles(self, userid, roles):
+        """Set local roles for a user."""
+        if not roles:
+            raise ValueError('One or more roles must be given!')
+        dict = self.__ac_local_roles__
+        if dict is None:
+            self.__ac_local_roles__ = dict = {}
+        dict[userid]=roles
+        self._p_changed = True
+
+    security.declareProtected(change_permissions, 'manage_delLocalRoles')
+    def manage_delLocalRoles(self, userids):
+        """Remove all local roles for a user."""
+        dict = self.__ac_local_roles__
+        if dict is None:
+            self.__ac_local_roles__ = dict = {}
+        for userid in userids:
+            if userid in dict:
+                del dict[userid]
+        self._p_changed=True
+
+    #------------------------------------------------------------
+
+    security.declarePrivate('access_debug_info')
+    def access_debug_info(self):
+        """Return debug info.
+        """
+        clas=class_attrs(self)
+        inst=instance_attrs(self)
+        data=[]
+        _add=data.append
+        for key, value in inst.items():
+            if key.find('__roles__') >= 0:
+                _add({'name': key, 'value': value, 'class': 0})
+            if hasattr(value, '__roles__'):
+                _add({'name': '%s.__roles__' % key, 'value': value.__roles__,
+                      'class': 0})
+        for key, value in clas.items():
+            if key.find('__roles__') >= 0:
+                _add({'name': key, 'value': value, 'class': 1})
+            if hasattr(value, '__roles__'):
+                _add({'name': '%s.__roles__' % key, 'value': value.__roles__,
+                      'class': 1})
+        return data
+
+    def valid_roles(self):
+        """Return list of valid roles.
+        """
+        obj=self
+        dict={}
+        dup =dict.has_key
+        x=0
+        while x < 100:
+            if hasattr(obj, '__ac_roles__'):
+                roles=obj.__ac_roles__
+                for role in roles:
+                    if not dup(role):
+                        dict[role]=1
+            if getattr(obj, '__parent__', None) is None:
+                break
+            obj=obj.__parent__
+            x=x+1
+        roles=dict.keys()
+        roles.sort()
+        return tuple(roles)
+
+    def validate_roles(self, roles):
+        """Return true if all given roles are valid.
+        """
+        valid=self.valid_roles()
+        for role in roles:
+            if role not in valid:
+                return 0
+        return 1
+
+    security.declareProtected(change_permissions, 'userdefined_roles')
+    def userdefined_roles(self):
+        """Return list of user-defined roles.
+        """
+        roles = list(self.__ac_roles__)
+        for role in classattr(self.__class__, '__ac_roles__'):
+            try:
+                roles.remove(role)
+            except:
+                pass
+        return tuple(roles)
+
+    def possible_permissions(self):
+        d = {}
+        permissions = getPermissions()
+        for p in permissions:
+            d[p[0]] = 1
+        for p in self.ac_inherited_permissions(1):
+            d[p[0]] = 1
+
+        d = d.keys()
+        d.sort()
+        return d
+
+InitializeClass(BaseRoleManager)
+
+
+def reqattr(request, attr):
+    try:
+        return request[attr]
+    except:
+        return None
+
+
+def classattr(cls, attr):
+    if hasattr(cls, attr):
+        return getattr(cls, attr)
+    try:
+        bases = cls.__bases__
+    except:
+        bases = ()
+    for base in bases:
+        if classattr(base, attr):
+            return attr
+    return None
+
+
+def instance_dict(inst):
+    try:
+        return inst.__dict__
+    except:
+        return {}
+
+
+def class_dict(_class):
+    try:
+        return _class.__dict__
+    except:
+        return {}
+
+
+def instance_attrs(inst):
+    return instance_dict(inst)
+
+
+def class_attrs(inst, _class=None, data=None):
+    if _class is None:
+        _class=inst.__class__
+        data={}
+
+    clas_dict=class_dict(_class)
+    inst_dict=instance_dict(inst)
+    inst_attr=inst_dict.has_key
+    for key, value in clas_dict.items():
+        if not inst_attr(key):
+            data[key]=value
+    for base in _class.__bases__:
+        data=class_attrs(inst, base, data)
+    return data
+
+
+def gather_permissions(klass, result, seen):
+    for base in klass.__bases__:
+        if '__ac_permissions__' in base.__dict__:
+            for p in base.__ac_permissions__:
+                name=p[0]
+                if name in seen:
+                    continue
+                result.append((name, ()))
+                seen[name] = None
+        gather_permissions(base, result, seen)
+    return result
--- a/src/AccessControl/tests/testRole.py
+++ b/src/AccessControl/tests/testRole.py
@@ -5,7 +5,7 @@ class TestRoleManager(unittest.TestCase):

    def test_interfaces(self):
        from AccessControl.interfaces import IRoleManager
-        from AccessControl.Role import BaseRoleManager
+        from AccessControl.rolemanager import BaseRoleManager
        from zope.interface.verify import verifyClass

        verifyClass(IRoleManager, BaseRoleManager)

--- a/src/App/Permission.py
+++ b/src/App/Permission.py
@@ -15,9 +15,9 @@


 from AccessControl.class_init import InitializeClass
-from AccessControl.Role import RoleManager
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from Acquisition import Implicit
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item
 from Persistence import Persistent


--- a/src/OFS/DTMLMethod.py
+++ b/src/OFS/DTMLMethod.py
@@ -16,7 +16,6 @@ from urllib import quote

 from AccessControl.class_init import InitializeClass
 from AccessControl.SecurityInfo import ClassSecurityInfo
-from AccessControl.Role import RoleManager
 from Acquisition import Implicit
 from App.special_dtml import DTMLFile
 from App.special_dtml import HTML
@@ -33,6 +32,7 @@ from DocumentTemplate.security import RestrictedDTML
 from OFS.Cache import Cacheable
 from OFS.History import Historical
 from OFS.History import html_diff
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item_w__name__
 from OFS.ZDOM import ElementWithTitle
 from webdav.Lockable import ResourceLockedError

--- a/src/OFS/Folder.py
+++ b/src/OFS/Folder.py
@@ -20,7 +20,6 @@ $Id$
 from AccessControl.class_init import InitializeClass
 from AccessControl.Permissions import add_page_templates
 from AccessControl.Permissions import add_user_folders
-from AccessControl.Role import RoleManager
 from AccessControl.SecurityManagement import getSecurityManager
 from AccessControl.unauthorized import Unauthorized
 from App.special_dtml import DTMLFile
@@ -31,6 +30,7 @@ from OFS.FindSupport import FindSupport
 from OFS.interfaces import IFolder
 from OFS.ObjectManager import ObjectManager
 from OFS.PropertyManager import PropertyManager
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item



--- a/src/OFS/Image.py
+++ b/src/OFS/Image.py
@@ -25,7 +25,6 @@ from AccessControl.Permissions import view_management_screens
 from AccessControl.Permissions import view as View
 from AccessControl.Permissions import ftp_access
 from AccessControl.Permissions import delete_objects
-from AccessControl.Role import RoleManager
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from Acquisition import Implicit
 from App.special_dtml import DTMLFile
@@ -44,6 +43,7 @@ from zope.interface import implements

 from OFS.Cache import Cacheable
 from OFS.PropertyManager import PropertyManager
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item_w__name__

 from zope.event import notify

--- a/src/OFS/SimpleItem.py
+++ b/src/OFS/SimpleItem.py
@@ -30,7 +30,6 @@ from AccessControl.SecurityInfo import ClassSecurityInfo
 from AccessControl.SecurityManagement import getSecurityManager
 from AccessControl.Owned import Owned
 from AccessControl.Permissions import view as View
-from AccessControl.Role import RoleManager
 from AccessControl.unauthorized import Unauthorized
 from AccessControl.ZopeSecurityPolicy import getRoles
 from Acquisition import Acquired
@@ -58,6 +57,7 @@ from OFS.interfaces import IItem
 from OFS.interfaces import IItemWithName
 from OFS.interfaces import ISimpleItem
 from OFS.CopySupport import CopySource
+from OFS.role import RoleManager
 from OFS.Traversable import Traversable
 from OFS.ZDOM import Element


--- a/src/OFS/role.py
+++ b/src/OFS/role.py
@@ -19,8 +19,8 @@ from App.special_dtml import DTMLFile

 from AccessControl import ClassSecurityInfo
 from AccessControl.class_init import InitializeClass
-from AccessControl.Role import BaseRoleManager
-from AccessControl.Role import reqattr
+from AccessControl.rolemanager import BaseRoleManager
+from AccessControl.rolemanager import reqattr
 from AccessControl.Permission import Permission
 from AccessControl.Permissions import change_permissions
 from AccessControl.requestmethod import requestmethod

--- a/src/Products/ExternalMethod/ExternalMethod.py
+++ b/src/Products/ExternalMethod/ExternalMethod.py
@@ -26,7 +26,6 @@ from AccessControl.class_init import InitializeClass
 from AccessControl.Permissions import change_external_methods
 from AccessControl.Permissions import view_management_screens
 from AccessControl.Permissions import view as View
-from AccessControl.Role import RoleManager
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from Acquisition import Acquired
 from Acquisition import Explicit
@@ -36,6 +35,7 @@ from App.Extensions import getPath
 from App.Extensions import FuncCode
 from App.special_dtml import DTMLFile
 from App.special_dtml import HTML
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item
 from OFS.SimpleItem import pretty_tb
 from Persistence import Persistent

--- a/src/Products/MailHost/MailHost.py
+++ b/src/Products/MailHost/MailHost.py
@@ -40,11 +40,11 @@ from AccessControl.class_init import InitializeClass
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from AccessControl.Permissions import change_configuration, view
 from AccessControl.Permissions import use_mailhost_services
-from AccessControl.Role import RoleManager
 from Acquisition import Implicit
 from App.special_dtml import DTMLFile
 from DateTime.DateTime import DateTime
 from Persistence import Persistent
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item

 from zope.interface import implements

--- a/src/Products/Sessions/BrowserIdManager.py
+++ b/src/Products/Sessions/BrowserIdManager.py
@@ -24,7 +24,6 @@ from urlparse import urlunparse

 from AccessControl.class_init import InitializeClass
 from AccessControl.Owned import Owned
-from AccessControl.Role import RoleManager
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from Acquisition import Implicit
 from Acquisition import aq_parent
@@ -33,6 +32,7 @@ from App.Management import Tabs
 from App.special_dtml import DTMLFile
 from Persistence import Persistent
 from persistent import TimeStamp
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item
 from ZPublisher.BeforeTraverse import registerBeforeTraverse
 from ZPublisher.BeforeTraverse import unregisterBeforeTraverse

--- a/src/Products/Sessions/SessionDataManager.py
+++ b/src/Products/Sessions/SessionDataManager.py
@@ -16,11 +16,11 @@ import sys

 from AccessControl.class_init import InitializeClass
 from AccessControl.Owned import Owned
-from AccessControl.Role import RoleManager
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from Acquisition import Implicit
 from App.special_dtml import DTMLFile
 from App.Management import Tabs
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item
 from Persistence import Persistent
 from ZPublisher.BeforeTraverse import registerBeforeTraverse

--- a/src/Shared/DC/ZRDB/Aqueduct.py
+++ b/src/Shared/DC/ZRDB/Aqueduct.py
@@ -21,12 +21,12 @@ import os
 import re
 import string

-from AccessControl.Role import RoleManager
 from Acquisition import Implicit
 from App.Common import package_home
 from DateTime.DateTime import DateTime
 from DocumentTemplate import File
 from DocumentTemplate import HTML
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item
 from Persistence import Persistent
 from zExceptions import Redirect

--- a/src/Shared/DC/ZRDB/Connection.py
+++ b/src/Shared/DC/ZRDB/Connection.py
@@ -26,13 +26,13 @@ from AccessControl.Permissions import view_management_screens
 from AccessControl.Permissions import change_database_connections
 from AccessControl.Permissions import test_database_connections
 from AccessControl.Permissions import open_close_database_connection
-from AccessControl.Role import RoleManager
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from Acquisition import Implicit
 from App.Dialogs import MessageDialog
 from App.special_dtml import DTMLFile
 from DateTime.DateTime import DateTime
 from DocumentTemplate import HTML
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item
 from Persistence import Persistent
 from zExceptions import BadRequest

--- a/src/Shared/DC/ZRDB/DA.py
+++ b/src/Shared/DC/ZRDB/DA.py
@@ -23,7 +23,6 @@ from AccessControl.class_init import InitializeClass
 from AccessControl.Permissions import change_database_methods
 from AccessControl.Permissions import use_database_methods
 from AccessControl.Permissions import view_management_screens
-from AccessControl.Role import RoleManager
 from AccessControl.SecurityInfo import ClassSecurityInfo
 from AccessControl.SecurityManagement import getSecurityManager
 from Acquisition import Implicit
@@ -35,6 +34,7 @@ from DocumentTemplate.security import RestrictedDTML
 from DateTime.DateTime import DateTime
 from ExtensionClass import Base
 from BTrees.OOBTree import OOBucket as Bucket
+from OFS.role import RoleManager
 from OFS.SimpleItem import Item
 from Persistence import Persistent
 from webdav.Resource import Resource