Massive revamp of security

b91674c9 · 5dfa37db · 5dfa37db · b91674c9 · 5dfa37db · 5dfa37db
Commit b91674c9 authored Dec 31, 1997 by
20 changed files
--- a/lib/python/AccessControl/ACL.py
+++ b/lib/python/AccessControl/ACL.py
-"""Access control objects"""
-
-__version__='$Revision: 1.4 $'[11:-2]
-
-
-from Persistence import Persistent
-from DocumentTemplate import HTML
-from Globals import MessageDialog
-from Acquisition import Acquirer
-from string import join, strip, split
-
-class SafeDtml(HTML):
-    """Lobotomized document template w/no editing"""
-
-    def __init__(self,name='',*args,**kw):
-        f=open('%s/lib/python/AccessControl/%s.dtml' % (SOFTWARE_HOME, name))
-        s=f.read()
-        f.close()
-        args=(self,s,)+args
-	apply(HTML.__init__,args,kw)
-
-    manage             =None
-    manage_editDocument=None
-    manage_editForm    =None
-    manage_edit        =None
-
-
-
-class ACL(Persistent, Acquirer):
-    """An object which stores and provides a user 
-       interface to access control information"""
-
-    def __init__(self, groups=[]):
-        self._data={}
-	for g in groups:
-            self._data[g]={}
-
-    id         ='AccessControl'
-    title      ='Access Control'
-    #icon='p_/AccessControlIcon'
-    #AccessControlIcon=ImageFile('www/AccessControl_icon.gif', globals())
-
-    _groupsForm=SafeDtml('groupsForm')
-    _groupForm =SafeDtml('groupForm')
-    _memberForm=SafeDtml('memberForm')
-
-    manage=manage_main=_groupsForm
-
-    def debug(self):
-        """ """
-        return '<html><XMP>%s</XMP></html>' % `self`
-
-    def __len__(self): return len(self._data)
-
-    def has_key(self,k):
-        return self._data.has_key(k)
-
-    def keys(self):
-        return self._data.keys()
-
-    def values(self):
-        return self._data.values()
-
-    def items(self):
-        return self._data.items()
-
-    def __getitem__(self,k):
-        return self._data[k]
-
-    def __setitem__(self,k, v):
-        self._data[k]=v
-        self.__changed__(1)
-
-    def __delitem__(self,k):
-        del self._data[k]
-        self.__changed__(1)
-
-    def groupNames(self):
-        return self._data.keys()
-
-    def manage_addGroup(self,REQUEST,name=''):
-        """Add group"""
-	if not name:
-            return MessageDialog(title='Illegal value', 
-                   message='An illegal value was specified',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        if self._data.has_key(name):
-            return MessageDialog(title='Illegal value',
-                   message='An item with the specified name already exists',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        self._data[name]={}
-        self.__changed__(1)
-        return self._groupsForm(self,REQUEST)
-
-
-    def manage_groupForm(self,REQUEST,name=''):
-        """Edit group"""
-	if not (name):
-            return MessageDialog(title='Illegal value', 
-                   message='An illegal value was specified',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        if not self._data.has_key(name):
-            return MessageDialog(title='Illegal value',
-                   message='The specified item does not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	return self._groupForm(self,REQUEST,groupName=name,
-                               memberNames=self._data[name].keys())
-
-    def manage_deleteGroup(self,REQUEST,names=[]):
-        """Delete group"""
-	if not names:
-            return MessageDialog(title='Illegal value', 
-                   message='An illegal value was specified',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	if type(names)==type('s'): names=[names]
-
-        f=self._data.has_key
-	if 0 in map(f, names):
-            return MessageDialog(title='Illegal value',
-                   message='The specified item does not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	for n in names:
-            del self._data[n]
-        self.__changed__(1)
-        return self._groupsForm(self,REQUEST)
-
-
-    def manage_addMember(self,REQUEST,group='',name='',password='',confirm=''):
-        """Add a member"""
-	if not (group and name and password and confirm):
-            return MessageDialog(title='Illegal value', 
-                   message='An illegal value was specified',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        if not self._data.has_key(group):
-            return MessageDialog(title='Illegal value',
-                   message='The specified item does not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	if self._data[group].has_key(name):
-            return MessageDialog(title='Illegal value', 
-                   message='An item with the specified name already exists',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	if password != confirm:
-            return MessageDialog(title='Illegal value', 
-                   message='Password and confirmation do not match',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        self._data[group][name]=password
-        self.__changed__(1)
-	return self._groupForm(self,REQUEST,groupName=group,
-                               memberNames=self._data[group].keys())
-
-
-    def manage_memberForm(self,REQUEST,group='',name=''):
-        """Edit member"""
-	if not (group and name):
-            return MessageDialog(title='Illegal value', 
-                   message='An illegal value was specified',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        if not self._data.has_key(group):
-            return MessageDialog(title='Illegal value',
-                   message='The specified item does not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        if not self._data[group].has_key(name):
-            return MessageDialog(title='Illegal value',
-                   message='The specified item does not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	g,n,p=group,name,self._data[group][name]
-        return self._memberForm(self,REQUEST,groupName=g,memberName=n,
-                                memberPassword=p)
-
-
-    def manage_editMember(self,REQUEST,group='',name='',password='',
-                          confirm=''):
-        """Add a member"""
-	if not (group and name and password and confirm):
-            return MessageDialog(title='Illegal value', 
-                   message='An illegal value was specified',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        if not self._data.has_key(group):
-            return MessageDialog(title='Illegal value',
-                   message='The specified item does not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	if not self._data[group].has_key(name):
-            return MessageDialog(title='Illegal value',
-                   message='The specified item does not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	if password != confirm:
-            return MessageDialog(title='Illegal value', 
-                   message='Password and confirmation do not match',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        self._data[group][name]=password
-        self.__changed__(1)
-	return self._groupForm(self,REQUEST,groupName=group,
-                               memberNames=self._data[group].keys())
-
-
-    def manage_deleteMember(self,REQUEST,group='',names=[]):
-        """Delete members"""
-	if not (group and names):
-            return MessageDialog(title='Illegal value', 
-                   message='An illegal value was specified',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-        if not self._data.has_key(group):
-            return MessageDialog(title='Illegal value',
-                   message='The specified item does not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	if type(names)==type('s'): names=[names]
-        f=self._data[group].has_key
-
-	if 0 in map(f, names):
-            return MessageDialog(title='Illegal value',
-                   message='The specified item does not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-
-	for n in names:
-            del self._data[group][n]
-        self.__changed__(1)
-	return self._groupForm(self,REQUEST,groupName=group,
-                               memberNames=self._data[group].keys())
-
-
-
-class RoleManager:
-    def roles_string(self):
-	try: return join(self.__roles__)
-	except: return ''
-
-    def parse_roles_string(self, roles):
-	"""Utility routine for parsing roles given as a string
-	"""
-	try: del self.__roles__
-	except: pass
-	if not roles: return
-	roles=map(strip,split(strip(roles)))
-	if roles=='public':
-	    self.__roles__=None
-	elif roles: self.__roles__=roles
--- a/lib/python/AccessControl/AccessControl.txt
+++ b/lib/python/AccessControl/AccessControl.txt
+Security Architecture
+---------------------
+
+Users
+-----
+
+Objects representing users may be created in Principia
+User Folder objects. User objects maintain the information
+used to authenticate users, and allow roles to be associated
+with a user.
+
+
+
+Permissions
+-----------
+
+A "permission" is the smallest unit of access to an object,
+roughly equivalent to the atomic permissions seen in NT:
+R (Read), W(Write), X(Execute), etc. In Principia, a permission
+usually describes a fine-grained logical operation on an object,
+such as "View Management Screens", "Add Properties", etc.
+
+Different types of objects will define different permissions
+as appropriate for the object.
+
+
+
+Types of access
+---------------
+
+A "type of access" is a named grouping of 0 or more of the
+permissions defined by an object. All objects have one predefined
+type of access called Full Access (all permissions defined by that 
+object). A user who has the special role "Manager" always has Full 
+Access to all objects at or below the level in the object hierarchy 
+at which the user is defined.
+
+New types of access may be defined as combinations of the
+various permissions defined by a given object. These new
+types of access may be defined by the programmer, or by
+users at runtime. 
+
+
+
+
+Roles
+-----
+
+A role is a name that ties users (authentication of identity)
+to permissions (authorization for that identity) in the system.
+Roles may be defined in any Folder (or Folderish) object in the
+system. Sub folders can make use of roles defined higher in the
+hierarchy. These roles can be assigned to users. All users, 
+including non-authenticated users have the built-in role of 
+"Anonymous". 
+
+Principia objects allow the association of defined roles 
+with a single "type of access" each, in the context of that 
+object. A single role is associated with one and only one 
+type of access in the context of a given object.
+
+
+
+Examples
+--------
+
+  User                        Object1
+
+  o has the role "RoleA"      o has given "RoleA" Full Access
+
+  Result: the user has Full Access to Object1.
+
+
+
+  User                        Object2
+  o has the role "RoleA"      o has given "RoleB" Full Access
+
+                              o has given the role "RoleA" View Access,
+                                a custom type of access that allows only
+                                viewing of the object.
+
+  Result: the user has only View Access.
+
+
+
+Notes
+-----
+
+All objects define a permission called "Default permission". If this
+permission is given to a role, users with that role will be able to
+access subobjects which do not explicitly restrict access.
+
+
+
+Technical
+---------
+
+Objects define their permissions as logical operations.
+Programmers have to determine the appropriate operations
+for their object type, and provide a mapping of permission
+name to attribute names. It is important to note that permissions
+cannot overlap - none of the attributes named in a permission
+can occur in any of the other permissions. The following are
+proposed permissions for some current principia objects:
+
+
+Folder
+  o View management screens
+  o Change permissions
+  o Undo changes
+  o Add objects
+  o Delete objects
+  o Add properties
+  o Change properties
+  o Delete properties
+  o Default permission
+
+Confera Topic
+  o View management screens
+  o Change permissions
+  o Undo changes
+  o Add objects
+  o Delete objects
+  o Add properties
+  o Change properties
+  o Delete properties
+  o Default permission
+  o Change Configuration
+  o Add Messages
+  o Change Messages
+  o Delete Messages
+
+Tabula Collection
+  o View management screens
+  o Change permissions
+  o Undo changes
+  o Add objects
+  o Delete objects
+  o Add properties
+  o Change properties
+  o Delete properties
+  o Default permission
+  o Change schema
+  o Upload data
+  o Add computed fields
+  o Change computed fields
+  o Delete computed fields
+
+Document/Image/File
+  o View management screens
+  o Change permissions
+  o Change/upload data
+  o View
+
+Session
+  o View management screens
+  o Change permissions
+  o Change session config
+  o Join/leave session
+  o Save/discard session
+
+Mail Host
+  o View management screens
+  o Change permissions
+  o Change configuration
+
+
+
+
+To support the architecture, developers must derive an
+object from the AccessControl.RoleManager mixin class,
+and define in their class an __ac_permissions__ attribute.
+
+This should be a tuple of tuples, where each tuple represents
+a permission and contains a string permission name as its first
+element and a list of attribute names as its second element.
+
+Example:
+
+    __ac_permissions__=(
+
+    ('View management screens',
+     ['manage','manage_menu','manage_main','manage_copyright',
+      'manage_tabs','manage_propertiesForm','manage_UndoForm']),
+    ('Undo changes',       ['manage_undo_transactions']),
+    ('Change permissions', ['manage_access']),
+    ('Add objects',        ['manage_addObject']),
+    ('Delete objects',     ['manage_delObjects']),
+    ('Add properties',     ['manage_addProperty']),
+    ('Change properties',  ['manage_editProperties']),
+    ('Delete properties',  ['manage_delProperties']),
+    ('Default permission', ['']),
+    )
+   
+
+
+The developer may also predefine useful types of access, by
+specifying an __ac_types__ attribute. This should be a tuple of 
+tuples, where each tuple represents a type of access and contains 
+a string name as its first element and a list of permission names 
+as its second element.
+
+By default, only "Full Access" is defined (by the RoleManager mixin).
+If you wish to override __ac_types__ to provide convenient types of
+access, you must always be sure to define "Full Access" as containing 
+the names of all possible permissions for your object.
+
+Example:
+
+    __ac_types__=(
+
+    ('Full Access', map(lambda x: x[0], __ac_permissions__)),
+    ('Change', ['Add Objects', 'Add Properties', 'Change Properties']),
+
+    )
+
+
+
+Developers may also provide pre-defined role names that are
+not deletable via the interface by specifying an __ac_roles__
+attribute. This is probably not something we'll ever use under
+the new architecture, but it's there if you need it.
+
+Example:
+
+    __ac_roles__=('Manager', 'Anonymous')
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
--- a/lib/python/AccessControl/Generic_manage.dtml
+++ b/lib/python/AccessControl/Generic_manage.dtml
-<HTML>
-<HEAD>
-<TITLE><!--#var title--></TITLE>
-</HEAD>
-<FRAMESET FRAMEBORDER="NO" BORDER="0" FRAMESPACING="0" COLS="140,*">
-  <FRAME SRC="manage_menu" NAME="manage_menu"
-         MARGINWIDTH="6" MARGINHEIGHT="6" SCROLLING="auto">
-  <FRAME SRC="manage_main" NAME="manage_main"
-         MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="auto">
-</FRAMESET>
-<NOFRAMES>
-Management interfaces require the use of a 
-<STRONG>frames-capable</STRONG> web browser.
-</NOFRAMES>
-</HTML>
-
--- a/lib/python/AccessControl/Generic_manage_menu.dtml
+++ b/lib/python/AccessControl/Generic_manage_menu.dtml
-<HTML>
-<HEAD>
-<TITLE>Management Menu</TITLE>
-</HEAD>
-<BODY BACKGROUND="<!--#var SOFTWARE_URL-->/App/background.jpg"
-      BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
-
-<TABLE BORDER="0">
-<TR>
-  <TD ALIGN="LEFT" COLSPAN="2" VALIGN="TOP">
-  <IMG SRC="<!--#var SOFTWARE_URL-->/logo.jpg"
-       WIDTH="90" HEIGHT="90">
-  <BR>
-  </TD>
-</TR>
-<TR><TD></TD><TD></TD></TR>
-
-<!--#if manage_options-->
-<!--#in manage_options mapping-->
-<!--#if sequence-item-->
-<TR>
-  <TD ALIGN="LEFT" VALIGN="TOP">
-  <A HREF="<!--#var action-->"
-     TARGET="<!--#var target-->"><IMG BORDER="0" HEIGHT="16"
-     WIDTH="16" ALT="<!--#var label-->"
-     SRC="<!--#var SOFTWARE_URL-->/<!--#var icon-->"></A>
-  </TD>
-  <TD ALIGN="LEFT">
-  <FONT SIZE="-1">
-  <A HREF="<!--#var action-->"
-     TARGET="<!--#var target-->">
-  <!--#var label-->
-  </A></FONT>
-  </TD>
-</TR>
-<!--#else sequence-item-->
-<TR><TD COLSPAN="2"><HR></TD></TR>
-<!--#/if sequence-item-->
-<!--#/in manage_options-->
-<!--#/if manage_options-->
-</TABLE>
-</BODY>
-</HTML>
-
--- a/lib/python/AccessControl/Role.py
+++ b/lib/python/AccessControl/Role.py
-"""Access control package"""
+"""Access control support"""
+
+__version__='$Revision: 1.8 $'[11:-2]
+
+
+from Globals import HTMLFile, MessageDialog
+from string import join, strip, split, find
+from Acquisition import Implicit
+

-__version__='$Revision: 1.7 $'[11:-2]

-import Globals
-from User import SafeDtml
-from Globals import MessageDialog
-from string import join, strip, split


 class RoleManager:
-    """Mixin role management support"""

-    manage_rolesForm=SafeDtml('AccessControl/manage_rolesForm')
-    smallRolesWidget=SafeDtml('AccessControl/smallRolesWidget')
+    __ac_permissions__=(('View management screens', []),
+			('Change permissions', []),
+			('Add objects', []),
+			('Delete objects', []),
+			('Add properties', []),
+			('Change properties', []),
+			('Delete properties', []),
+			('Default permission',['']),
+		       )
+   
+    __ac_types__=(('Full Access', map(lambda x: x[0], __ac_permissions__)),
+		 )
+
+    __ac_roles__=('Manager', 'Anonymous')
+
+    def access_info(self):
+	# Return access summary info
+	data={}
+	for t in self.access_types():
+	    name=t.name
+	    for role in t.getRoles():
+		data[role]=name
+#        try:    del data['Manager']
+#	except: pass
+	keys=data.keys()
+	for i in range(len(keys)):
+	    key=keys[i]
+	    keys[i]={'name': key, 'value': data[key]}
+	return keys
+
+    def access_defaults(self):
+	data=[]
+	for p in self.access_permissions():
+	    if not p.getRoles():
+		data.append(p)
+	return data
+
+    def access_types(self):
+	# Return list of access type objects
+	list=[]
+	for name,value in self.__ac_types__:
+	    list.append(AccessType(name,value,self))
+	return list
+
+    def access_types_dict(self):
+	# Return dict of access type objects
+	dict={}
+	for name,value in self.__ac_types__:
+	    dict[name]=AccessType(name,value,self)
+	return dict
+
+    def access_types_gc(self, dict):
+	# Remove unused types of access
+	static=map(lambda x: x[0], self.__class__.__ac_types__)
+
+	data=list(self.__ac_types__)
+	flag=0
+	for name, type in dict.items():
+	    roles=type.getRoles()
+	    if not roles and name not in static:
+		try:
+		    data.remove((name, type.data))
+		    flag=1
+		except:
+		    pass
+	if flag: self.__ac_types__=tuple(data)
+
+    def access_type_for(self, role):
+	for type in self.access_types():
+	    if role in type.getRoles():
+		return type
+	return None
+
+    def access_permissions(self):
+	# Return list of permission objects
+	list=[]
+	for name,value in self.__ac_permissions__:
+	    list.append(Permission(name,value,self))
+	return list
+
+    def access_permissions_dict(self):
+	# Return dict of access permission objects
+	dict={}
+	for name,value in self.__ac_permissions__:
+	    dict[name]=Permission(name,value,self)
+	return dict
+
+    def access_debug_info(self):
+	# Return debug info
+	clas=class_attrs(self)
+	inst=instance_attrs(self)
+	data=[]
+	_add=data.append
+	for key, value in inst.items():
+	    if find(key,'__roles__') >= 0:
+		_add({'name': key, 'value': value, 'class': 0})
+	    if hasattr(value, '__roles__'):
+		_add({'name': '%s.__roles__' % key, 'value': value.__roles__, 
+		      'class': 0})
+	for key, value in clas.items():
+	    if find(key,'__roles__') >= 0:
+		_add({'name': key, 'value': value, 'class' : 1})
+	    if hasattr(value, '__roles__'):
+		_add({'name': '%s.__roles__' % key, 'value': value.__roles__, 
+		      'class': 1})
+	return data
+
+    def valid_roles(self):
+	# Return list of valid roles
+        obj=self
+	dict={}
+	dup =dict.has_key
+        x=0
+        while x < 100:
+	    try:    roles=obj.__ac_roles__
+	    except: roles=()
+	    for role in roles:
+		if not dup(role):
+		    dict[role]=1
+	    try:    obj=obj.aq_parent
+	    except: break
+	    x=x+1
+	roles=dict.keys()
+	roles.sort()
+	return roles
+
+    def validate_roles(self, roles):
+	# Return true if all given roles are valid
+	valid=self.valid_roles()
+	for role in roles:
+	    if role not in valid:
+		return 0
+	return 1
+
+    def userdefined_roles(self):
+	# Return list of user-defined roles
+	roles=list(self.__ac_roles__)
+	for role in classattr(self.__class__,'__ac_roles__'):
+	    try:    roles.remove(role)
+	    except: pass
+	return roles
+
+    _mainAccess=HTMLFile('mainAccess', globals())
+    _listAccess=HTMLFile('listAccess', globals())
+    _editAccess=HTMLFile('editAccess', globals())
+    _specAccess=HTMLFile('specAccess', globals())
+    _add_Access=HTMLFile('addAccess', globals())
+
+    def manage_access(self,SUBMIT=None,REQUEST=None):
+	""" """
+	if SUBMIT=='Add...':
+	    return self._add_Access(self, REQUEST)
+
+	if SUBMIT=='Edit':
+	    return self._editAccess(self, REQUEST)
+
+	if SUBMIT=='Add':
+	    roles =reqattr(REQUEST, 'roles')
+	    access=reqattr(REQUEST, 'access')
+	    return self._addAccess(roles, access, REQUEST)
+
+	if SUBMIT=='List':
+	    return self._listAccess(self, REQUEST)
+
+	if SUBMIT=='Change':
+	    role  =reqattr(REQUEST, 'role')
+	    access=reqattr(REQUEST, 'access')
+	    return self._changeAccess(role, access, REQUEST)
+
+	if SUBMIT=='Remove':
+	    roles=reqattr(REQUEST, 'roles')
+	    return self._delAccess(roles, REQUEST)
+
+	if SUBMIT=='OK':
+	    permissions=reqattr(REQUEST, 'permissions')
+	    access=reqattr(REQUEST, 'access')
+	    roles =reqattr(REQUEST, 'roles')
+	    return self._specialAccess(roles,access,permissions,REQUEST)
+
+	if SUBMIT=='Add Role':
+	    role=reqattr(REQUEST, 'role')
+	    return self._addRole(role, REQUEST)
+
+	if SUBMIT=='Delete Role':
+	    roles=reqattr(REQUEST, 'roles')
+	    return self._delRoles(roles, REQUEST)
+
+	return self._mainAccess(self,REQUEST)
+
+    def _addAccess(self, roles, access, REQUEST):
+	if not roles or not access:
+	    return MessageDialog(
+		   title  ='Incomplete',
+		   message='You must specify roles and a type of access',
+		   action ='manage_access')
+	if not self.validate_roles(roles):
+	    return MessageDialog(
+		   title  ='Undefined Role',
+		   message='An undefined role was specified',
+		   action ='manage_access')
+	if access=='Special Access...':
+	    return self._specAccess(self, REQUEST)
+	types=self.access_types_dict()
+	for type in types.values():
+	    type.delRoles(roles)
+	types[access].setRoles(roles)
+	return self._mainAccess(self, REQUEST)
+
+    def _changeAccess(self, role, access, REQUEST=None):
+	if not access or not role:
+	    return MessageDialog(
+		   title  ='Incomplete',
+		   message='You must specify a type of access',
+		   action ='manage_access')
+	if not self.validate_roles([role,]):
+	    return MessageDialog(
+		   title  ='Undefined Role',
+		   message='An undefined role was specified',
+		   action ='manage_access')
+	if access=='Special Access...':
+	    REQUEST['roles']=[role,]
+	    return self._specAccess(self, REQUEST)
+	types=self.access_types_dict()
+	for type in types.values():
+	    type.delRoles([role,])
+	types[access].setRoles([role,])
+	self.access_types_gc(types)
+	return self._mainAccess(self, REQUEST)
+
+    def _specialAccess(self, roles, access, permissions, REQUEST=None):
+	if not roles or not access:
+	    return MessageDialog(
+		   title  ='Incomplete',
+		   message='You must specify roles and a type of access',
+		   action ='manage_access')
+	if not self.validate_roles(roles):
+	    return MessageDialog(
+		   title  ='Undefined Role',
+		   message='An undefined role was specified',
+		   action ='manage_access')
+
+	if not permissions: permissions=[]
+
+	dict=self.access_permissions_dict()
+	if 0 in map(dict.has_key, permissions):
+	    return MessageDialog(
+		   title  ='Unknown permission',
+		   message='An unknown permission was specified',
+		   action ='manage_changeAccess')
+	dict=self.access_types_dict()
+	if dict.has_key(access):
+	    return MessageDialog(
+		   title  ='Name in use',
+		   message='The name specified is already in use',
+		   action ='manage_access')
+
+	# Check for duplicate access types
+	permissions.sort()
+	for key, value in dict.items():
+	    names=value.data[:]
+	    names.sort()
+	    if permissions==names:
+		return MessageDialog(
+		       title  ='Already defined',
+		       message='Another access type (%s) is already defined '\
+		               'with the selected permissions' % key,
+		       action ='manage_access')
+
+	self.__ac_types__=self.__ac_types__+((access,permissions),)
+	types=self.access_types_dict()
+	for type in types.values():
+	    type.delRoles(roles)
+	types[access].setRoles(roles)
+	return self._mainAccess(self, REQUEST)
+
+    def _delAccess(self, roles, REQUEST=None):
+	if not roles:
+	    return MessageDialog(
+		   title  ='Incomplete',
+		   message='You must specify roles to remove',
+		   action ='manage_access')
+	types=self.access_types_dict()
+	for type in types.values():
+	    type.delRoles(roles)
+	self.access_types_gc(types)
+	return self._mainAccess(self, REQUEST)
+
+    def _addRole(self, role, REQUEST=None):
+	if not role:
+	    return MessageDialog(
+		   title  ='Incomplete',
+		   message='You must specify a role name',
+		   action ='manage_changeAccess')
+	if role in self.__ac_roles__:
+	    return MessageDialog(
+		   title  ='Role Exists',
+		   message='The given role is already defined',
+		   action ='manage_changeAccess')
+	data=list(self.__ac_roles__)
+	data.append(role)
+	self.__ac_roles__=tuple(data)
+	return self._mainAccess(self, REQUEST)
+
+    def _delRoles(self, roles, REQUEST):
+	if not roles:
+	    return MessageDialog(
+		   title  ='Incomplete',
+		   message='You must specify a role name',
+		   action ='manage_changeAccess')
+	data=list(self.__ac_roles__)
+	for role in roles:
+	    try:    data.remove(role)
+	    except: pass
+	self.__ac_roles__=tuple(data)
+	return self._mainAccess(self, REQUEST)
+
+
+
+
+    smallRolesWidget=''
+
+
+
+
+    validRoles=valid_roles
+    manage_rolesForm=manage_access
+    #manage_rolesForm=HTMLFile('manage_rolesForm', globals())
+    #smallRolesWidget=HTMLFile('smallRolesWidget', globals())


    def selectedRoles(self):
@@ -48,59 +376,246 @@ class RoleManager:
 	    return ''
 	return ' CHECKED'

-
    def manage_editRoles(self,REQUEST,acl_type='A',acl_roles=[]):
-        """ """
-	if hasattr(self,'aq_self'):
-	    try:    del self.aq_self.__roles__
-	    except: pass
-	if acl_type=='A':
-	    return self.manage_rolesForm(self,REQUEST)
-	if acl_type=='P':
-	    self.__roles__=None
-	    return self.manage_rolesForm(self,REQUEST)
-	if not acl_roles:
-	    raise 'Bad Request','No roles specified!'
-	self.__roles__=acl_roles
-        return self.manage_rolesForm(self,REQUEST)
-
+	pass

    def _setRoles(self,acl_type,acl_roles):
-	# Non-web helper to correctly set roles
-	if hasattr(self,'aq_self'):
-	    try:    del self.aq_self.__roles__
-	    except: pass
-	if acl_type=='A':
-	    return
-	if acl_type=='P':
-	    self.__roles__=None
-	    return
-	if not acl_roles:
-	    raise 'Bad Request','No roles specified!'
-	self.__roles__=acl_roles
-
-
-
-
-# $Log: Role.py,v $
-# Revision 1.7  1997/12/05 17:10:08  brian
-# New UI
-#
-# Revision 1.6  1997/11/18 21:48:20  brian
-# Fixed bug that appeared after __roles__ were allowed to be acquired.
-#
-# Revision 1.5  1997/11/07 17:10:03  brian
-# Moved validRoles manage_addRole and manage_deleteRole to app object
-#
-# Revision 1.4  1997/11/06 22:45:26  brian
-# Added global roles to app
-#
-# Revision 1.3  1997/09/08 23:01:33  brian
-# Style mods
-#
-# Revision 1.2  1997/09/02 18:12:13  jim
-# Added smallRolesWidget.
-#
-# Revision 1.1  1997/08/29 18:34:53  brian
-# Added basic role management to package.
-#
+	pass
+
+
+
+class Permission:
+    # A Permission maps a named logical permission to a set
+    # of attribute names. Attribute names which appear in a
+    # permission may not appear in any other permission defined
+    # by the object.
+
+    def __init__(self,name,data,obj):
+	self.name=name
+	self.data=data
+	self.obj =obj
+
+    def getRoles(self):
+	# Return the list of role names which have been given
+	# this permission for the object in question. To do
+	# this, we try to get __roles__ from all of the object
+	# attributes that this permission represents.
+	name=self.data[0]
+	if name=='': attr=self.obj
+	else: attr=getattr(self.obj, name)
+	if hasattr(attr,'aq_self'): attr=attr.aq_self
+	if hasattr(attr, '__roles__'):
+	    roles=attr.__roles__
+	    if roles is None:
+		return ['Manager','Anonymous']
+	    return roles
+	return []
+
+    def setRoles(self, roles):
+	# Add the given list of role names to the appropriate
+	# subobjects for this permission. To do this, we add
+	# the given roles to the __roles__ of each attribute
+	# that this permission represents.
+	for name in self.data:
+	    if name=='': attr=self.obj
+	    else: attr=getattr(self.obj, name)
+	    if hasattr(attr,'aq_self'):
+		attr=attr.aq_self
+	    if hasattr(attr, '__roles__'):
+		data=attr.__roles__
+	    else: data=[]
+	    if data is None:
+		data=[]
+	    data=list(data)
+	    for role in roles:
+		data.append(role)
+	    attr.__roles__=data
+
+    def delRoles(self, roles):
+	# Remove the given list of role names from the appropriate
+	# subobjects for this permission. To do this, we remove
+	# the given roles from the __roles__ of each attribute
+	# that this permission represents. If the __roles__ of any
+	# attribute is thus left empty, it is deleted.
+	for name in self.data:
+	    if name=='': attr=self.obj
+	    else: attr=getattr(self.obj, name)
+	    if hasattr(attr,'aq_self'):
+		attr=attr.aq_self
+	    if not hasattr(attr, '__roles__'):
+		return
+	    data=attr.__roles__
+	    if data is None: data=[]
+	    data=list(data)
+	    for role in roles:
+		if role in data:
+		    data.remove(role)
+	    if data: attr.__roles__=data
+	    else:    del attr.__roles__
+
+    def __len__(self): return 1
+    def __str__(self): return self.name
+
+
+
+class AccessType:
+    # An AccessType is a named subset of 0 or more of the
+    # permissions defined by an object. AccessTypes may
+    # have overlapping permissions, but two AccessTypes
+    # cannot map to the exact same subset of permissions.
+
+    def __init__(self,name,data,obj):
+	self.name=name
+	self.data=data
+	self.obj =obj
+
+    def getRoles(self):
+	# Return the list of role names which have been given
+	# this type of access for the object in question. To
+	# determine this, we iterate through the permissions
+	# that this access type represents, asking each for 
+	# the list of roles which have that permission.
+	# Role names which appear in all of the lists returned
+	# by our set of permissions *and* in no other lists
+	# are returned.
+        dict ={}
+	names=[]
+	lists=[]
+	roles=[]
+	value=[]
+	for p in self.obj.access_permissions():
+	    dict[p.name]=p.getRoles()
+	for p in self.data:
+	    for role in dict[p]:
+		if role not in names:
+		    names.append(role)
+	    lists.append(dict[p])
+	for name in names:
+	    for list in lists:
+		if name not in list:
+		    name=None
+		    break
+	    if name: roles.append(name)
+	lists=[]
+	for p in dict.keys():
+	    if p not in self.data:
+		lists.append(dict[p])
+	for role in roles:
+	    for list in lists:
+		if role in list:
+		    role=None
+		    break
+	    if role: value.append(role)
+	return value
+
+    def setRoles(self, roles):
+	# Add the given list of role names to the appropriate 
+	# subobjects for this type of access. To do this, we
+	# just call the setRoles method for each permission
+	# in the list of permissions represented by this type
+	# of access.
+	permissions={}
+	for p in self.obj.access_permissions():
+	    permissions[p.name]=p
+	for p in self.data:
+	    permissions[p].setRoles(roles)
+
+    def delRoles(self, roles):
+	# Remove the given list of role names from the appropriate
+	# subobjects for this type of access. To do this, we call
+	# the delRoles method for each permission in the list of
+	# permissions represented by this type of access.
+	permissions={}
+	for p in self.obj.access_permissions():
+	    permissions[p.name]=p
+	for p in self.data:
+	    permissions[p].delRoles(roles)
+
+    def __len__(self): return 1
+    def __str__(self): return self.name
+
+
+
+
+def absattr(attr):
+    if callable(attr): return attr()
+    return attr
+
+def reqattr(request, attr):
+    try:    return request[attr]
+    except: return None
+
+def classattr(cls, attr):
+    if hasattr(cls, attr):
+	return getattr(cls, attr)
+    try:    bases=cls.__bases__
+    except: bases=()
+    for base in bases:
+	if classattr(base, attr):
+	    return attr
+    return None
+
+
+
+def instance_dict(inst):
+    try:    return inst.__dict__
+    except: return {}
+
+def class_dict(_class):
+    try:    return _class.__dict__
+    except: return {}
+
+def instance_attrs(inst):
+    return instance_dict(inst)
+
+def class_attrs(inst, _class=None, data=None):
+    if _class is None:
+	_class=inst.__class__
+	data={}
+
+    clas_dict=class_dict(_class)
+    inst_dict=instance_dict(inst)
+    inst_attr=inst_dict.has_key
+    for key, value in clas_dict.items():
+	if not inst_attr(key):
+	    data[key]=value
+    for base in _class.__bases__:
+	data=class_attrs(inst, base, data)
+    return data
+
+
+
+#     Folder
+#     __ac_permissions__=(
+#     ('View Management Screens',
+#      ['manage','manage_menu','manage_main','manage_copyright',
+#       'manage_tabs','manage_propertiesForm','manage_UndoForm']),
+#     ('Undo Changes',       ['manage_undo_transactions']),
+#     ('Change Permissions', ['manage_access']),
+#     ('Add Objects',        ['manage_addObject']),
+#     ('Delete Objects',     ['manage_delObjects']),
+#     ('Add Properties',     ['manage_addProperty']),
+#     ('Change Properties',  ['manage_editProperties']),
+#     ('Delete Properties',  ['manage_delProperties']),
+#     )
+   
+#     __ac_types__=(('Full Access', map(lambda x: x[0], __ac_permissions__)),
+# 		 )
+#     __ac_roles__=('Manager', 'Anonymous'
+# 		 )
+
+
+
+#     Document
+#     __ac_permissions__=(
+#     ('View Management Screens', ['manage','manage_tabs','manage_uploadForm']),
+#     ('Change Permissions', ['manage_access']),
+#     ('Change/Upload Data', ['manage_edit','manage_upload','PUT']),
+#     ('View', ['',]),
+#     )
+   
+#     __ac_types__=(('Full Access', map(lambda x: x[0], __ac_permissions__)),
+# 		  ('View Access', ['View',]),
+# 		 )
+
+#     __ac_roles__=('Manager', 'Anonymous')
--- a/lib/python/AccessControl/RoleManager_manage_rolesForm.dtml
+++ b/lib/python/AccessControl/RoleManager_manage_rolesForm.dtml
-<HTML>
-<HEAD>
-<TITLE>Security</TITLE>
-</HEAD>
-<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
-<!--#var manage_tabs-->
-
-<P>
-You may restrict access to <EM><!--#var title_or_id--></EM> using the form 
-below. To add or remove roles, select or deselect 
-the desired role names and click &quot;Change&quot;.
-<P>
-<FORM ACTION="manage_editRoles" METHOD="POST">
-<TABLE>
-<TR>
-<TD VALIGN=CENTER><STRONG>Access<BR>Control</STRONG></TD>
-<TD VALIGN="TOP">
-<INPUT TYPE="RADIO" NAME="acl_type" VALUE="E"<!--#var aclEChecked-->>
-Allow users with selected roles
-<BR>
-<INPUT TYPE="RADIO" NAME="acl_type" VALUE="A"<!--#var aclAChecked-->>
-Allow based on default roles
-<BR>
-<INPUT TYPE="RADIO" NAME="acl_type" VALUE="P"<!--#var aclPChecked-->> 
-Allow all users
-</TD>
-<TD VALIGN="TOP">
-<SELECT NAME="acl_roles:list" SIZE="4" MULTIPLE>
-<!--#in selectedRoles-->
-<!--#var sequence-item-->
-<!--#/in selectedRoles-->
-</SELECT>
-</TD>
-</TR>
-<TR>
-  <TD ALIGN="LEFT" VALIGN="TOP">
-  </TD>
-  <TD ALIGN="LEFT" VALIGN="TOP">
-  <INPUT TYPE="SUBMIT" VALUE="Change">
-  </TD>
-</TR>
-
-</TABLE>
-</FORM>
-
-<P>
-<FORM ACTION="manage_addRole" METHOD="POST">
-To add a new, user-defined role to this object, enter the name of 
-the new role and click &quot;Add&quot;.
-<BR>
-<INPUT TYPE="TEXT" NAME="role" SIZE="20">
-<BR>
-<INPUT TYPE="SUBMIT" VALUE=" Add ">
-</FORM>
-</BODY>
-</HTML>
--- a/lib/python/AccessControl/User.py
+++ b/lib/python/AccessControl/User.py
 """Access control package"""

-__version__='$Revision: 1.26 $'[11:-2]
+__version__='$Revision: 1.27 $'[11:-2]
+

-import Globals
-from Persistence import Persistent
 from PersistentMapping import PersistentMapping
+from Persistence import Persistent
+from Globals import HTMLFile, MessageDialog
+from string import join,strip,split,lower
 from App.Management import Management
-from OFS.SimpleItem import Item
 from Acquisition import Implicit
-from DocumentTemplate import HTML
-from Globals import MessageDialog
+from OFS.SimpleItem import Item
 from base64 import decodestring
-from string import join,strip,split,lower
 from ImageFile import ImageFile


-class SafeDtml(HTML):
-    """Lobotomized document template"""
-    def __init__(self,name='',*args,**kw):
-        f=open('%s/lib/python/%s.dtml' % (SOFTWARE_HOME, name))
-        s=f.read()
-        f.close()
-        args=(self,s,)+args
-	kw['SOFTWARE_URL']=SOFTWARE_URL
-	apply(HTML.__init__,args,kw)
-    manage             =None
-    manage_editDocument=None
-    manage_editForm    =None
-    manage_edit        =None
-
-
-


 class User(Implicit, Persistent):
-    def __init__(self,name=None,password=None,roles=[]):
-	if name is not None:
-	    self._name    =name
-	    self._password=password
-	    self._roles   =roles
+    def __init__(self,name,password,roles):
+	self.name =name
+	self.roles=roles
+	self.__   =password
+
+    def authenticate(self, password):
+	return password==self.__

    def hasRole(self,roles=None):
 	if roles is None:
 	    return 1
 	for role in roles:
-	    if role in self._roles:
+	    if role in self.roles:
 		return 1
 	return 0

-    def __len__(self):
-	return 1
-
-    def __str__(self):
-	return self._name
-
-    def __repr__(self):
-        return self._name
-
-
-class SuperUser:
-    def __init__(self):
-	try:
-	    f=open('%s/access' % CUSTOMER_HOME, 'r')
-	    d=split(strip(f.readline()),':')
-	    f.close()
-	    self._name    =d[0]
-	    self._password=d[1]
-	    self._roles   =('manage',)
-	except:
-	    self._name    ='superuser'
-	    self._password='123'
-	    self._roles   =('manage',)
-
-    def hasRole(self,roles=None):
-	return 1
-
-    def __len__(self):
-	return 1
+    def __len__(self): return 1
+    def __str__(self): return self.name
+    __repr__=__str__

-    def __str__(self):
-	return self._name

-    def __repr__(self):
-        return self._name
+try:
+    f=open('%s/access' % SOFTWARE_HOME, 'r')
+    data=split(strip(f.readline()),':')
+    f.close()
+    super=User(data[0],data[1],('manage',))
+    del data
+except:
+    super=User('superuser','123',('manage',))

-super=SuperUser()
+nobody=User('Anonymous User','',('Anonymous',))



-class UserFolder(Persistent, Item, Implicit, Management):
+class UserFolder(Implicit, Persistent, Management, Item):
    """ """
    meta_type='User Folder'
    id       ='acl_users'
    title    ='User Folder'
-    icon='p_/UserFolder'
+    icon     ='p_/UserFolder'

    isPrincipiaFolderish=1
    isAUserFolder=1

-    manage_main=Globals.HTMLFile('UserFolder_manage_main', globals())
-    _editForm  =Globals.HTMLFile('UserFolder_manage_editForm', globals())
-    manage=manage_main
-    #index_html =manage_main

    manage_options=(
-    {'icon':'AccessControl/UserFolder_icon.gif', 'label':'Contents',
+    {'icon': icon, 'label':'Contents',
     'action':'manage_main',   'target':'manage_main'},
    {'icon':'App/undo_icon.gif', 'label':'Undo',
     'action':'manage_UndoForm', 'target':'manage_main'},
    )

-    def _init(self):
-	self._data=PersistentMapping()
+    def __init__(self):
+	self.data=PersistentMapping()

    def __len__(self):
-	return len(self.userNames())
-
-    def parentObject(self):
-	try:    return (self.aq_parent,)
-	except: return ()
+	return len(self.data.keys())

    def _isTop(self):
 	try:    t=self.aq_parent.aq_parent.acl_users
 	except: return 1
 	return 0

-    def userNames(self):
-	try: return self._data.keys()
-	except AttributeError:
-	    self._init()
-	    return ()
+    def user_names(self):
+	keys=self.data.keys()
+	keys.sort()
+	return keys

-    def roleNames(self):
-	return self.validRoles()
-
-    def validate(self,request,auth,roles=None):
-	if auth is None:
-	    # Handle "anonymous" users:
-	    return None
+    def validate(self,request,auth='',roles=None):
+	if not auth:
+	    return nobody
 	if lower(auth[:6])!='basic ':
 	    return None
-	[name,password]=split(decodestring(split(auth)[-1]), ':')
-
-	if self._isTop() and (name==super._name) and \
-	   (password==super._password):
+	name,password=tuple(split(decodestring(split(auth)[-1]), ':'))
+	if self._isTop() and (name==super.name) and \
+	super.authenticate(password):
 	    return super
-
-	try:    user=self._data[name]
+	try:    user=self.data[name]
 	except: return None
-	if password!=user._password:
+	if not user.authenticate(password):
 	    return None
 	if roles is None:
 	    return user
 	for role in roles:
-	    if role in user._roles:
+	    if role in user.roles:
 		return user
 	return None

-    def manage_addUser(self,REQUEST,name,password,confirm,roles=[]):
-        """ """
-	if self._data.has_key(name) or (name==super._name):
-            return MessageDialog(title='Illegal value', 
-                   message='An item with the specified name already exists',
-                   action='%s/manage' % REQUEST['PARENT_URL'])
-
+    _mainUser=HTMLFile('mainUser', globals())
+    _add_User=HTMLFile('addUser', globals())
+    _editUser=HTMLFile('editUser', globals())
+
+    def _addUser(self,name,password,confirm,roles,REQUEST=None):
+	if not name or not password or not confirm:
+            return MessageDialog(
+		   title  ='Illegal value', 
+                   message='Name, password and confirmation must be specified',
+                   action ='manage_main')
+	if self.data.has_key(name) or (name==super.name):
+            return MessageDialog(
+		   title  ='Illegal value', 
+                   message='A user with the specified name already exists',
+                   action ='manage_main')
 	if password!=confirm:
-            return MessageDialog(title='Illegal value', 
+            return MessageDialog(
+		   title  ='Illegal value', 
                   message='Password and confirmation do not match',
-                   action='%s/manage' % REQUEST['PARENT_URL'])
-        self._data[name]=User(name,password,roles)
-        return self.manage_main(self, REQUEST)
-
-    def manage_editForm(self,REQUEST,name):
-        """ """
-	try:    user=self._data[name]
-	except: return MessageDialog(title='Illegal value',
-                message='The specified item does not exist',
-                action='%s/manage_main' % REQUEST['PARENT_URL'])
-	name    =user._name
-	pw      =user._password
-	rolelist=map(lambda k, s=user._roles:
-		     k in s and ('<OPTION VALUE="%s" SELECTED>%s' % (k,k)) \
-		     or  ('<OPTION VALUE="%s">%s' % (k,k)), self.roleNames())
-	return self._editForm(self,REQUEST,name=name,pw=pw,rolelist=rolelist)
-
-    def manage_editUser(self,REQUEST,name,password,confirm,roles=[]):
-        """ """
-	try:    user=self._data[name]
-	except: return MessageDialog(title='Illegal value',
-                message='The specified item does not exist',
-                action='%s/manage_main' % REQUEST['PARENT_URL'])
+                   action ='manage_main')
+        self.data[name]=User(name,password,roles)
+	return self._mainUser(self, REQUEST)
+
+    def _changeUser(self,name,password,confirm,roles,REQUEST=None):
+	if not name or not password or not confirm:
+            return MessageDialog(
+		   title  ='Illegal value', 
+                   message='Name, password and confirmation must be specified',
+                   action ='manage_main')
+	if not self.data.has_key(name):
+            return MessageDialog(
+		   title  ='Illegal value', 
+                   message='Unknown user',
+                   action ='manage_main')
 	if password!=confirm:
-            return MessageDialog(title='Illegal value', 
+            return MessageDialog(
+		   title  ='Illegal value', 
                   message='Password and confirmation do not match',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-	user._password=password
-	user._roles   =roles
-        return self.manage_main(self, REQUEST)
-
-    def manage_deleteUser(self,REQUEST,names=[]):
-        """ """
-	if 0 in map(self._data.has_key, names):
-            return MessageDialog(title='Illegal value',
+                   action ='manage_main')
+	user=self.data[name]
+	user.__=password
+	user.roles=roles
+	return self._mainUser(self, REQUEST)
+
+    def _delUser(self,names,REQUEST=None):
+	if not names:
+            return MessageDialog(
+		   title  ='Illegal value', 
+                   message='No users specified',
+                   action ='manage_main')
+
+	if 0 in map(self.data.has_key, names):
+            return MessageDialog(
+		   title  ='Illegal value',
                   message='One or more items specified do not exist',
-                   action='%s/manage_main' % REQUEST['PARENT_URL'])
-	for n in names:
-            del self._data[n]
-        return self.manage_main(self, REQUEST)
+                   action ='manage_main')
+	for name in names:
+            del self.data[name]
+        return self._mainUser(self, REQUEST)
+
+    def manage_main(self,submit=None,REQUEST=None):
+	""" """
+	if submit=='Add...':
+	    return self._add_User(self, REQUEST)
+
+	if submit=='Edit':
+	    try:    user=self.data[reqattr(REQUEST, 'name')]
+	    except: return MessageDialog(
+		    title  ='Illegal value',
+                    message='The specified user does not exist',
+                    action ='manage_main')
+	    return self._editUser(self,REQUEST,user=user,password=user.__)
+
+	if submit=='Add':
+	    name    =reqattr(REQUEST, 'name')
+	    password=reqattr(REQUEST, 'password')
+	    confirm =reqattr(REQUEST, 'confirm')
+	    roles   =reqattr(REQUEST, 'roles')
+	    return self._addUser(name,password,confirm,roles,REQUEST)
+
+	if submit=='Change':
+	    name    =reqattr(REQUEST, 'name')
+	    password=reqattr(REQUEST, 'password')
+	    confirm =reqattr(REQUEST, 'confirm')
+	    roles   =reqattr(REQUEST, 'roles')
+	    return self._changeUser(name,password,confirm,roles,REQUEST)
+
+	if submit=='Delete':
+	    names=reqattr(REQUEST, 'names')
+	    return self._delUser(names,REQUEST)
+
+	return self._mainUser(self, REQUEST)
+
+    manage=manage_main
+
+
+    # Copy/Paste support

    def _getCopy(self, container):
 	try:    obj=container.aq_self
@@ -231,19 +226,15 @@ class UserFolderHandler:
    """ """
    meta_types_=({'name':'User Folder', 'action':'manage_addUserFolder'},)

-    def manage_addUserFolder(self,dtself=None,REQUEST=None,**ignored):
+    def manage_addUserFolder(self,dtself,REQUEST,**ignored):
        """ """
-        i=UserFolder()
-        i._init()
-	if REQUEST:
-	    try:    self._setObject('acl_users', i)
-	    except: return MessageDialog(
-		title='Item Exists',
-		message='This object already contains a User Folder',
-		action='%s/manage_main' % REQUEST['PARENT_URL'])
-	else: self._setObject('acl_users', i)
+	try:    self._setObject('acl_users', UserFolder())
+	except: return MessageDialog(
+	               title  ='Item Exists',
+                       message='This object already contains a User Folder',
+                       action ='%s/manage_main' % REQUEST['PARENT_URL'])
        self.__allow_groups__=self.acl_users
-	if REQUEST: return self.manage_main(self,REQUEST)
+        return self.manage_main(self,REQUEST)

    def UserFolderIds(self):
 	t=[]
@@ -268,77 +259,10 @@ class UserFolderHandler:
 	return t


+def absattr(attr):
+    if callable(attr): return attr()
+    return attr

-
-# $Log: User.py,v $
-# Revision 1.26  1997/12/31 13:34:34  jim
-# Added (incomplete) code to handle "anonymous" users.
-#
-# Revision 1.25  1997/12/23 21:09:45  jim
-# Made REQUEST argument to addUserFolder optional.
-#
-# Revision 1.24  1997/12/19 19:03:54  jim
-# updated icon management strategy
-#
-# Revision 1.23  1997/12/18 21:12:47  jeffrey
-# more ImageFile tweaks
-#
-# Revision 1.22  1997/12/18 16:45:28  jeffrey
-# changeover to new ImageFile and HTMLFile handling
-#
-# Revision 1.21  1997/12/18 13:34:04  jim
-# Changed PersistentMapping import
-#
-# Revision 1.20  1997/12/05 17:10:10  brian
-# New UI
-#
-# Revision 1.19  1997/11/20 13:39:54  jim
-# Added logic to check for a broken user folder.
-#
-# Revision 1.18  1997/11/11 22:38:26  brian
-# Added copy logic to UF
-#
-# Revision 1.17  1997/11/07 20:57:41  jim
-# Made manage_addUserFolder accept and ignore keyword arguments to be
-# compatible with the new addObject protocol.
-#
-# Revision 1.16  1997/11/07 17:33:57  jim
-# Renamed meta_types to meta_types_ for new OFS-as-product change.
-#
-# Revision 1.15  1997/11/07 17:09:31  brian
-# Fixed validRoles
-#
-# Revision 1.14  1997/10/23 17:35:45  brian
-# Added hasRole method to User objects
-#
-# Revision 1.13  1997/09/19 17:52:04  brian
-# Changed UFs so that only the top UF validates god.
-#
-# Revision 1.12  1997/09/17 14:59:42  brian
-# *** empty log message ***
-#
-# Revision 1.11  1997/09/15 15:00:24  brian
-# Added SimpleItem support
-#
-# Revision 1.10  1997/09/08 23:01:33  brian
-# Style mods
-#
-# Revision 1.9  1997/09/04 20:35:36  brian
-# Fixed truth test bug in UserFolder
-#
-# Revision 1.8  1997/08/29 18:34:54  brian
-# Added basic role management to package.
-#
-# Revision 1.7  1997/08/27 19:49:48  brian
-# Added forgotten dtml
-#
-# Revision 1.6  1997/08/27 13:44:00  brian
-# Added a nicer dialog to return if users try to create more than one
-# UserFolder in an object.
-#
-# Revision 1.5  1997/08/27 13:31:28  brian
-# Fixed a name boo-boo
-#
-# Revision 1.4  1997/08/27 13:16:27  brian
-# Added cvs log!
-#
+def reqattr(request, attr):
+    try:    return request[attr]
+    except: return None
--- a/lib/python/AccessControl/addAccess.dtml
+++ b/lib/python/AccessControl/addAccess.dtml
+<HTML>
+<HEAD>
+<TITLE>Security</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
+<!--#if manage_tabs-->
+<!--#var manage_tabs-->
+<!--#/if manage_tabs-->
+<P>
+Select one or more roles below, and a type of access that will given 
+to users who have those roles. Select &quot;Special Access...&quot;
+if you would like to define a new type of access.
+
+<FORM ACTION="manage_access" METHOD="POST">
+<TABLE CELLPADDING="2">
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>Roles</STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <SELECT NAME="roles:list" SIZE="4" MULTIPLE>
+  <!--#in valid_roles-->
+  <OPTION VALUE="<!--#var sequence-item-->"><!--#var sequence-item-->
+  <!--#/in valid_roles-->
+  </SELECT>
+  </TD>
+</TR>
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>Type of access</STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <SELECT NAME="access">
+  <!--#in access_types-->
+  <OPTION VALUE="<!--#var sequence-var-name-->"><!--#var sequence-var-name-->
+  <!--#/in access_types-->
+  <OPTION VALUE="Special Access...">Special Access...
+  </SELECT>
+  <BR>
+  <INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Add">
+  </TD>
+</TR>
+</TABLE>
+</FORM>
+</BODY>
+</HTML>
--- a/lib/python/AccessControl/UserFolder_manage_main.dtml
+++ b/lib/python/AccessControl/UserFolder_manage_main.dtml
 <HTML>
 <HEAD>
-<TITLE>Contents</TITLE>
+<TITLE>Add User</TITLE>
 </HEAD>
 <BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555">
 <!--#var manage_tabs-->
-
-<!--#if userNames-->
-<FORM ACTION="manage_deleteUser" METHOD="POST">
-The following users have been defined. Click on a user to edit 
-that user.
-<P>
-<TABLE BORDER="0" CELLSPACING="0" CELLPADDING="2">
-<!--#in userNames-->
-<TR>
-  <TD ALIGN="LEFT" VALIGN="TOP">
-  <INPUT TYPE="CHECKBOX" NAME="names:list" VALUE="<!--#var sequence-item-->">
-  </TD>
-  <TD ALIGN="LEFT" VALIGN="TOP">
-  <A HREF="manage_editForm?name=<!--#var sequence-item fmt=url-quote-->">
-  <IMG SRC="<!--#var SCRIPT_NAME-->/p_/User_icon"
-   ALT="Click to edit this user" BORDER="0">
-  </A>
-  <A HREF="manage_editForm?name=<!--#var sequence-item fmt=url-quote-->">
-  <!--#var sequence-item-->
-  </A>
-  </TD>
-</TR>
-<!--#/in userNames-->
-<TR>
-  <TD ALIGN="LEFT" VALIGN="TOP">
-  </TD>
-  <TD ALIGN="LEFT" VALIGN="TOP">
-  <INPUT TYPE="SUBMIT" VALUE="Delete">
-  </TD>
-</TR>
-</TABLE>
-</FORM>
-<!--#else userNames-->
-<P>
-<EM>There are no users defined.</EM>
-<!--#/if userNames-->
 <P>
+To add a new user, enter the name, password, confirmation and 
+roles for the new user and click &quot;Add&quot;.
+
+<FORM ACTION="manage_main" METHOD="POST">
 <TABLE>
 <TR>
-  <TD COLSPAN="2" VALIGN="TOP">
-  To add a new user, enter the name, password, confirmation and 
-  roles for the new user and click &quot;Add&quot;.
-  </TD>
-</TR>
-<TR>
-  <TD COLSPAN="2" VALIGN="TOP">
-  <FORM ACTION="manage_addUser" METHOD="POST">
-  <TABLE>
-  <TR>
  <TD VALIGN="TOP">
  <STRONG>Name</STRONG>
  </TD>
  <TD VALIGN="TOP">
  <INPUT TYPE="TEXT" NAME="name" SIZE="20">
  </TD>
-  </TR>
-  <TR>
+</TR>
+<TR>
  <TD VALIGN="TOP">
  <STRONG>Password</STRONG>
  </TD>
  <TD VALIGN="TOP">
  <INPUT TYPE="PASSWORD" NAME="password" SIZE="20">
  </TD>
-  </TR>
-  <TR>
+</TR>
+<TR>
  <TD VALIGN="TOP">
  <STRONG>(Confirm)</STRONG>
  </TD>
  <TD VALIGN="TOP">
  <INPUT TYPE="PASSWORD" NAME="confirm" SIZE="20">
  </TD>
-  </TR>
-  <TR>
+</TR>
+<TR>
  <TD VALIGN="TOP">
  <STRONG>Roles</STRONG>
  </TD>
  <TD VALIGN="TOP">
  <SELECT NAME="roles:list" SIZE="5" MULTIPLE>
-  <!--#if roleNames-->
-  <!--#in roleNames-->
-  <OPTION><!--#var sequence-item-->
-  <!--#/in roleNames-->
-  <!--#/if roleNames-->
+  <!--#in valid_roles-->
+  <OPTION VALUE="<!--#var sequence-item-->"><!--#var sequence-item-->
+  <!--#/in valid_roles-->
  </SELECT>
  <BR>
-  <INPUT TYPE="SUBMIT" VALUE=" Add ">
-  </TD>
-  </TR>
-  </TABLE>
-  </FORM>
-  </TD>
+  <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Add">
+</TD>
 </TR>
 </TABLE>
+</FORM>
 </BODY>
 </HTML>
--- a/lib/python/AccessControl/editAccess.dtml
+++ b/lib/python/AccessControl/editAccess.dtml
+<HTML>
+<HEAD>
+<TITLE>Security</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
+<!--#if manage_tabs-->
+<!--#var manage_tabs-->
+<!--#/if manage_tabs-->
+<P>
+<FORM ACTION="manage_access" METHOD="POST">
+<TABLE CELLPADDING="2">
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>Role</STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <EM><!--#var role--></EM>
+  </TD>
+</TR>
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>Type of access</STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <INPUT TYPE="HIDDEN" NAME="role" VALUE="<!--#var role-->">
+  <SELECT NAME="access">
+  <!--#in access_types-->
+  <OPTION VALUE="<!--#var sequence-var-name-->"<!--#if expr="role in _vars['sequence-item'].getRoles()"-->SELECTED<!--#/if-->><!--#var sequence-var-name-->
+  <!--#/in access_types-->
+  <OPTION VALUE="Special Access...">Special Access...
+  </SELECT>
+  <BR>
+  <INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Change">
+  </TD>
+</TR>
+</TABLE>
+</FORM>
+</BODY>
+</HTML>
--- a/lib/python/AccessControl/UserFolder_manage_editForm.dtml
+++ b/lib/python/AccessControl/UserFolder_manage_editForm.dtml
@@ -5,14 +5,14 @@
 <BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555">
 <!--#var manage_tabs-->

-<FORM ACTION="manage_editUser" METHOD="POST">
+<FORM ACTION="manage_main" METHOD="POST">
 <TABLE>
 <TR>
 <TD VALIGN="TOP">
 <STRONG>Name</STRONG>
 </TD>
 <TD VALIGN="TOP">
-<!--#var name-->
+<!--#var expr="user.name"-->
 </TD>
 </TR>
 <TR>
@@ -20,7 +20,7 @@
 <STRONG>Password</STRONG>
 </TD>
 <TD VALIGN="TOP">
-<INPUT TYPE="PASSWORD" NAME="password" VALUE="<!--#var pw-->" SIZE="20">
+<INPUT TYPE="PASSWORD" NAME="password" VALUE="<!--#var password-->" SIZE="20">
 </TD>
 </TR>
 <TR>
@@ -28,7 +28,7 @@
 <STRONG>(Confirm)</STRONG>
 </TD>
 <TD VALIGN="TOP">
-<INPUT TYPE="PASSWORD" NAME="confirm" VALUE="<!--#var pw-->" SIZE="20">
+<INPUT TYPE="PASSWORD" NAME="confirm" VALUE="<!--#var password-->" SIZE="20">
 </TD>
 </TR>
 <TR>
@@ -37,15 +37,17 @@
 </TD>
 <TD VALIGN="TOP">
 <SELECT NAME="roles:list" SIZE="5" MULTIPLE>
-<!--#if rolelist-->
-<!--#in rolelist-->
-<!--#var sequence-item-->
-<!--#/in rolelist-->
-<!--#/if rolelist-->
+<!--#in valid_roles-->
+<!--#if expr="_vars['sequence-item'] in user.roles"-->
+<OPTION VALUE="<!--#var sequence-item-->" SELECTED><!--#var sequence-item-->
+<!--#else-->
+<OPTION VALUE="<!--#var sequence-item-->"><!--#var sequence-item-->
+<!--#/if-->
+<!--#/in valid_roles-->
 </SELECT>
-<INPUT TYPE="HIDDEN" NAME="name" VALUE="<!--#var name-->">
+<INPUT TYPE="HIDDEN" NAME="name" VALUE="<!--#var expr="user.name"-->">
 <BR>
-<INPUT TYPE="SUBMIT" VALUE="Change">
+<INPUT TYPE="SUBMIT" NAME="submit" VALUE="Change">
 </TD>
 </TR>
 </TABLE>

--- a/lib/python/AccessControl/groupForm.dtml
+++ b/lib/python/AccessControl/groupForm.dtml
-<HTML>
-<HEAD>
-<TITLE>
-Access Control
-</TITLE>
-</HEAD>
-<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
-<FONT SIZE="+2">
-Access Control
-</FONT>
-<BR>
-<P>
-<TABLE>
-<!--#if memberNames-->
-
-
-<TR>
-  <TD VALIGN="TOP">
-  The following members are defined for the group <B><!--#var groupName--></B>.
-  To edit a member, select a member from the list and click the
-  <I>Change Member</I> button.
-  </TD>
-  <TD VALIGN="TOP">
-  <FORM ACTION="manage_memberForm" METHOD="POST">
-  <SELECT NAME="name">
-  <!--#in memberNames-->
-  <OPTION VALUE="<!--#var sequence-item-->"> <!--#var sequence-item-->
-  <!--#/in memberNames-->
-  </SELECT>
-  <BR>
-  <INPUT TYPE="HIDDEN" NAME="group" VALUE="<!--#var groupName-->">
-  <INPUT TYPE="SUBMIT" VALUE="Change Member">
-  </FORM>
-  </TD>
-</TR>
-<!--#else memberNames-->
-<TR>
-  <TD COLSPAN="2" VALIGN="TOP">
-  There are no members defined for the group <B><!--#var groupName--></B>.
-  </TD>
-</TR>
-<!--#/if memberNames-->
-<TR>
-  <TD COLSPAN="2" VALIGN="TOP">
-  <BR>
-  To add a new member to this group, enter the name, password and
-  confirmation of password for the new member and click the
-  <I>Add Member</I> button.
-  </TD>
-</TR>
-<TR>
-  <TD COLSPAN="2" VALIGN="TOP">
-  <FORM ACTION="manage_addMember" METHOD="POST">
-  <TABLE>
-  <TR>
-  <TD VALIGN="TOP">Name</TD>
-  <TD VALIGN="TOP"><INPUT TYPE="TEXT" NAME="name" SIZE="20"></TD>
-  </TR>
-  <TR>
-  <TD VALIGN="TOP">Password</TD>
-  <TD VALIGN="TOP"><INPUT TYPE="PASSWORD" NAME="password" SIZE="20"></TD>
-  </TR>
-  <TR>
-  <TD VALIGN="TOP">(Confirm)</TD>
-  <TD VALIGN="TOP">
-  <INPUT TYPE="PASSWORD" NAME="confirm" SIZE="20"><BR>
-  <INPUT TYPE="HIDDEN" NAME="group" VALUE="<!--#var groupName-->">
-  <INPUT TYPE="SUBMIT" VALUE="Add Member">
-  </TD>
-  </TR>
-  </TABLE>
-  </FORM>
-  </TD>
-</TR>
-<!--#if memberNames-->
-<TR>
-  <TD VALIGN="TOP">
-  <BR>
-  To delete one or more members from this group, select the members
-  you wish to delete and click the <I>Delete Members</I> button.
-  </TD>
-  <TD VALIGN="TOP">
-  <BR>
-  <FORM ACTION="manage_deleteMember" METHOD="POST">
-  <SELECT NAME="names:list" MULTIPLE SIZE="5" >
-  <!--#in memberNames-->
-  <OPTION VALUE="<!--#var sequence-item-->"> <!--#var sequence-item-->
-  <!--#/in memberNames-->
-  </SELECT>
-  <BR>
-  <INPUT TYPE="HIDDEN" NAME="group" VALUE="<!--#var groupName-->">
-  <INPUT TYPE="SUBMIT" VALUE="Delete Members">
-  </FORM>
-  </TD>
-</TR>
-<!--#/if memberNames-->
-</TABLE>
-</BODY>
-</HTML>
--- a/lib/python/AccessControl/groupsForm.dtml
+++ b/lib/python/AccessControl/groupsForm.dtml
-<HTML>
-<HEAD>
-<TITLE>
-Access Control
-</TITLE>
-</HEAD>
-<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
-<FONT SIZE="+2">
-Access Control
-</FONT>
-<BR>
-<P>
-Access control allows you to restrict access to various operations on
-this object. For detailed information about using access control, see
-the product documentation or online help.
-<P>
-<TABLE>
-<!--#if groupNames-->
-<TR>
-  <TD VALIGN="TOP">
-  To view or edit the members of a group, select a
-  group and click the <I>Change Group</I> button.
-  </TD>
-  <TD VALIGN="TOP">
-  <FORM ACTION="manage_groupForm" METHOD="POST">
-  <SELECT NAME="name">
-
-  <!--#in groupNames-->
-  <OPTION VALUE="<!--#var sequence-item-->"> <!--#var sequence-item-->
-  <!--#/in groupNames-->
-  </SELECT>
-  <BR>
-  <INPUT TYPE="SUBMIT" VALUE="Change Group">
-  </FORM>
-  </TD>
-</TR>
-<!--#else groupNames-->
-<TR>
-  <TD COLSPAN="2" VALIGN="TOP">
-  There are currently no access control groups defined.
-  </TD>
-</TR>
-<!--#/if groupNames-->
-<TR>
-  <TD VALIGN="TOP">
-  <BR>
-  To add a new group, enter a name for the new
-  group and click the <I>Add Group</I> button.
-  </TD>
-  <TD VALIGN="TOP">
-  <BR>
-  <FORM ACTION="manage_addGroup" METHOD="POST">
-  <INPUT TYPE="TEXT" NAME="name" SIZE="30">
-  <BR>
-  <INPUT TYPE="SUBMIT" VALUE="Add Group">
-  </FORM>
-  </TD>
-</TR>
-<!--#if groupNames-->
-<TR>
-  <TD VALIGN="TOP">
-  <BR>
-  To delete one or more groups, select the groups you wish
-  to delete and click the <I>Delete Groups</I> button.
-  </TD>
-  <TD VALIGN="TOP">
-  <BR>
-  <FORM ACTION="manage_deleteGroup" METHOD="POST">
-  <SELECT NAME="names:list" MULTIPLE SIZE="5">
-  <!--#in groupNames-->
-  <OPTION VALUE="<!--#var sequence-item-->"> <!--#var sequence-item-->
-  <!--#/in groupNames-->
-  </SELECT>
-  <BR>
-  <INPUT TYPE="SUBMIT" VALUE="Delete Groups">
-  </FORM>
-  </TD>
-</TR>
-<!--#/if groupNames-->
-</TABLE>
-</BODY>
-</HTML>
--- a/lib/python/AccessControl/listAccess.dtml
+++ b/lib/python/AccessControl/listAccess.dtml
+<HTML>
+<HEAD>
+<TITLE>Security</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
+<!--#if manage_tabs-->
+<!--#var manage_tabs-->
+<!--#/if manage_tabs-->
+
+<FORM ACTION="manage_access" METHOD="POST">
+<TABLE CELLPADDING="2">
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>Users with the role</STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <!--#var role-->
+  </TD>
+</TR>
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>have type of access</STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <!--#var expr="access_type_for(role)"-->,
+  </TD>
+</TR>
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>which corresponds to</STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <FONT SIZE="-1">
+  <!--#in access_permissions-->
+  <INPUT TYPE="CHECKBOX" NAME="p" VALUE=""<!--#if
+  expr="_vars['sequence-item'].name in access_type_for(role).data"-->
+  CHECKED<!--#/if-->>
+  <!--#var sequence-var-name--><BR>
+  <!--#/in access_permissions-->
+  </FONT>
+  </TD>
+</TR>
+</TABLE>
+</FORM>
+</BODY>
+</HTML>
--- a/lib/python/AccessControl/mainAccess.dtml
+++ b/lib/python/AccessControl/mainAccess.dtml
+<HTML>
+<HEAD>
+<TITLE>Security</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
+<!--#if manage_tabs-->
+<!--#var manage_tabs-->
+<!--#/if manage_tabs-->
+<P>
+<!--#if access_info-->
+The listing below shows the current security settings for this item. 
+Each role listed has been given a type of access which represents 
+a specific set of permissions. Click on the name of a role for details 
+on the specific permissions granted to that role.
+<FORM ACTION="manage_access" METHOD="POST">
+<TABLE CELLPADDING="2">
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>
+  Role
+  </STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>Type of access</STRONG>
+  </TD>
+</TR>
+<!--#in access_info mapping-->
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <INPUT TYPE="CHECKBOX" NAME="roles:list"
+   VALUE="<!--#var sequence-var-name-->">
+  <A HREF="manage_access?role=<!--#var sequence-var-name fmt=url-quote-->&SUBMIT=List"><!--#var sequence-var-name--></A>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <!--#var sequence-var-value-->
+  </TD>
+</TR>
+<!--#/in access_info-->
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Add...">
+  <INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Remove">
+  </TD>
+</TR>
+</TABLE>
+</FORM>
+<P>
+<!--#if access_defaults-->
+Users having roles defined at this level and above that have been 
+given the &quot;Default permission&quot; have the following 
+permissions to this object: <EM>
+<!--#in access_defaults-->
+<!--#var sequence-var-name-->
+<!--#if sequence-end--><!--#else-->, <!--#/if-->
+<!--#/in access_defaults-->
+</EM>
+<!--#/if access_defaults-->
+<!--#/if access_info-->
+
+<!--#else access_info-->
+This object is using default security. Users having roles defined at 
+this level and above that have been given the &quot;Default permission&quot; 
+have access to this object.
+<P>
+To set explicit security on this item, click the &quot;Add...&quot; button.
+<BR>
+<FORM ACTION="manage_access" METHOD="POST">
+<INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Add...">
+</FORM>
+<!--#/else access_info-->
+
+<P> 
+<FORM ACTION="manage_access" METHOD="POST">
+<TABLE CELLPADDING="2">
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>
+  User defined roles
+  </STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  </TD>
+</TR>
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <INPUT TYPE="TEXT" NAME="role" SIZE="16">
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Add Role">
+  </TD>
+</TR>
+<!--#if userdefined_roles-->
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <SELECT NAME="roles:list">
+  <!--#in userdefined_roles-->
+  <OPTION VALUE="<!--#var sequence-item-->"><!--#var sequence-item-->
+  <!--#/in userdefined_roles-->
+  </SELECT>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Delete Role">
+  </TD>
+</TR>
+<!--#/if userdefined_roles-->
+</TABLE>
+</FORM>
+
+<!--#if access_debug-->
+<BR><BR>
+<BR><BR>
+<BR><BR>
+Access Types:
+<TABLE BORDER="0" CELLPADDING="2">
+<!--#in access_types-->
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <!--#var sequence-var-name-->
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <!--#var sequence-var-getRoles-->
+  </TD>
+</TR>
+<!--#/in access_types-->
+</TABLE>
+<P>
+Permissions:
+<TABLE BORDER="0" CELLPADDING="2">
+<!--#in access_permissions-->
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <!--#var sequence-var-name-->
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <!--#var sequence-var-getRoles-->
+  </TD>
+</TR>
+<!--#/in access_permissions-->
+</TABLE>
+<P>
+Attributes:
+<TABLE BORDER="0" CELLPADDING="2">
+<!--#in access_debug_info mapping-->
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <!--#if sequence-var-class-->
+  <FONT COLOR="RED">
+  <!--#/if-->
+  <!--#var sequence-var-name-->
+  <!--#if sequence-var-class-->
+  </FONT>
+  <!--#/if-->
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <!--#if sequence-var-class-->
+  <FONT COLOR="RED">
+  <!--#/if-->
+  <!--#var sequence-var-value-->
+  <!--#if sequence-var-class-->
+  </FONT>
+  <!--#/if-->
+  </TD>
+</TR>
+<!--#/in access_debug_info-->
+</TABLE>
+<!--#/if access_debug-->
+</BODY>
+</HTML>
--- a/lib/python/AccessControl/mainUser.dtml
+++ b/lib/python/AccessControl/mainUser.dtml
+<HTML>
+<HEAD>
+<TITLE>Contents</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555">
+<!--#var manage_tabs-->
+
+<FORM ACTION="manage_main" METHOD="POST">
+<!--#if user_names-->
+The following users have been defined. Click on a user to edit 
+that user.
+<P>
+<TABLE BORDER="0" CELLSPACING="0" CELLPADDING="2">
+<!--#in user_names-->
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <INPUT TYPE="CHECKBOX" NAME="names:list" VALUE="<!--#var sequence-item-->">
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <A HREF="manage_main?name=<!--#var sequence-item fmt=url-quote-->&submit=Edit">
+  <IMG SRC="<!--#var SCRIPT_NAME-->/p_/User_icon" ALT="Click to edit user"
+   BORDER="0">
+   </A>
+  <A HREF="manage_main?name=<!--#var sequence-item fmt=url-quote-->&submit=Edit">
+  <!--#var sequence-item-->
+  </A>
+  </TD>
+</TR>
+<!--#/in user_names-->
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Add...">
+  <INPUT TYPE="SUBMIT" NAME="submit" VALUE="Delete">
+  </TD>
+</TR>
+</TABLE>
+<!--#else user_names-->
+<P>
+<EM>There are no users defined.</EM>
+<P>
+<INPUT TYPE="SUBMIT" NAME="submit" VALUE="Add...">
+<!--#/if user_names-->
+</FORM>
+</BODY>
+</HTML>
--- a/lib/python/AccessControl/manage_rolesForm.dtml
+++ b/lib/python/AccessControl/manage_rolesForm.dtml
-<HTML>
-<HEAD>
-<TITLE>Security</TITLE>
-</HEAD>
-<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
-<!--#var manage_tabs-->
-
-<P>
-You may restrict access to this item using the form 
-below. To add or remove roles, select or deselect 
-the desired role names and click &quot;Change&quot;.
-<P>
-<FORM ACTION="manage_editRoles" METHOD="POST">
-<TABLE>
-<TR>
-<TD VALIGN=CENTER><STRONG>Access<BR>Control</STRONG></TD>
-<TD VALIGN="TOP">
-<INPUT TYPE="RADIO" NAME="acl_type" VALUE="E"<!--#var aclEChecked-->>
-Allow users with selected roles
-<BR>
-<INPUT TYPE="RADIO" NAME="acl_type" VALUE="A"<!--#var aclAChecked-->>
-Allow based on default roles
-<BR>
-<INPUT TYPE="RADIO" NAME="acl_type" VALUE="P"<!--#var aclPChecked-->> 
-Allow all users
-</TD>
-<TD VALIGN="TOP">
-<SELECT NAME="acl_roles:list" SIZE="4" MULTIPLE>
-<!--#in selectedRoles-->
-<!--#var sequence-item-->
-<!--#/in selectedRoles-->
-</SELECT>
-</TD>
-</TR>
-<TR>
-  <TD ALIGN="LEFT" VALIGN="TOP">
-  </TD>
-  <TD ALIGN="LEFT" VALIGN="TOP">
-  <INPUT TYPE="SUBMIT" VALUE="Change">
-  </TD>
-</TR>
-
-</TABLE>
-</FORM>
-
-<P>
-<FORM ACTION="manage_addRole" METHOD="POST">
-To add a new, user-defined role to this object, enter the name of 
-the new role and click &quot;Add&quot;.
-<BR>
-<INPUT TYPE="TEXT" NAME="role" SIZE="20">
-<BR>
-<INPUT TYPE="SUBMIT" VALUE=" Add ">
-</FORM>
-</BODY>
-</HTML>
--- a/lib/python/AccessControl/memberForm.dtml
+++ b/lib/python/AccessControl/memberForm.dtml
-<HTML>
-<HEAD>
-<TITLE>
-Access Control
-</TITLE>
-</HEAD>
-<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
-<FONT SIZE="+2">
-Access Control
-</FONT>
-<BR>
-<P>
-  <FORM ACTION="manage_editMember" METHOD="POST">
-  <TABLE>
-  <TR>
-  <TD VALIGN="TOP">Name</TD>
-  <TD VALIGN="TOP"><!--#var memberName-->, in <B><!--#var groupName--></B></TD>
-  </TR>
-  <TR>
-  <TD VALIGN="TOP">Password</TD>
-  <TD VALIGN="TOP">
-  <INPUT TYPE="PASSWORD" NAME="password" VALUE="<!--#var memberPassword-->"
-   SIZE="20"></TD>
-  </TR>
-  <TR>
-  <TD VALIGN="TOP">(Confirm)</TD>
-  <TD VALIGN="TOP">
-  <INPUT TYPE="PASSWORD" NAME="confirm" VALUE="<!--#var memberPassword-->"
-   SIZE="20">
-  <INPUT TYPE="HIDDEN" NAME="name" VALUE="<!--#var memberName-->">
-  <INPUT TYPE="HIDDEN" NAME="group" VALUE="<!--#var groupName-->">
-  <BR>
-  <INPUT TYPE="SUBMIT" VALUE="Save Changes">
-  </TD>
-  </TR>
-  </TABLE>
-  </FORM>
-</BODY>
-</HTML>
--- a/lib/python/AccessControl/smallRolesWidget.dtml
+++ b/lib/python/AccessControl/smallRolesWidget.dtml
-<!--#if AUTHENTICATED_USER-->
-<TR>
-  <TH ALIGN="LEFT" VALIGN="TOP">Access<BR>Control</TH>
-  <TD>
-    <TABLE CELLPADDING="0" CELLSPACING="0" BORDER="0">
-    <TR>
-    <TD VALIGN="TOP">
-      <INPUT TYPE="RADIO" NAME="acl_type" VALUE="E"<!--#var aclEChecked-->>
-      Allow users with selected roles
-      <BR>
-      <INPUT TYPE="RADIO" NAME="acl_type" VALUE="A"<!--#var aclAChecked-->>
-      Allow based on default roles
-      <BR>
-      <INPUT TYPE="RADIO" NAME="acl_type" VALUE="P"<!--#var aclPChecked-->> 
-      Allow all users
-    </TD>
-    <TD VALIGN="TOP">
-      <SELECT NAME="acl_roles:list" SIZE="3" MULTIPLE>
-      <!--#in selectedRoles-->
-      <!--#var sequence-item-->
-      <!--#/in selectedRoles-->
-      </SELECT>
-    </TD>
-    </TR>
-    </TABLE>
-  </TD>
-</TR>
-<!--#/if AUTHENTICATED_USER-->
--- a/lib/python/AccessControl/specAccess.dtml
+++ b/lib/python/AccessControl/specAccess.dtml
+<HTML>
+<HEAD>
+<TITLE>Security</TITLE>
+</HEAD>
+<BODY BGCOLOR="#FFFFFF" LINK="#000099" VLINK="#555555" ALINK="#77003B">
+<!--#if manage_tabs-->
+<!--#var manage_tabs-->
+<!--#/if manage_tabs-->
+<P>
+<FORM ACTION="manage_access" METHOD="POST">
+<TABLE CELLPADDING="2">
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>Roles</STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <SELECT NAME="roles:list" SIZE="4" MULTIPLE>
+  <!--#in valid_roles-->
+  <OPTION VALUE="<!--#var sequence-item-->" <!--#if expr="_vars['sequence-item'] in roles"-->SELECTED<!--#/if-->><!--#var sequence-item-->
+  <!--#/in valid_roles-->
+  </SELECT>
+  </TD>
+</TR>
+<TR>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <STRONG>Special access</STRONG>
+  </TD>
+  <TD ALIGN="LEFT" VALIGN="TOP">
+  <INPUT TYPE="TEXT" NAME="access" SIZE="25">
+  <BR>
+  <!--#in access_permissions-->
+  <INPUT TYPE="CHECKBOX" NAME="permissions:list" VALUE="<!--#var sequence-var-name-->"> <EM><!--#var sequence-var-name--></EM>
+  <BR>
+  <!--#/in access_permissions-->
+  <BR>
+  <INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="OK">
+  </TD>
+</TR>
+</TABLE>
+</FORM>
+</BODY>
+</HTML>