Skip to main content

Content-based users and groups for Plone

Project description


membrane is a set of PluggableAuthService (PAS) plug-ins that allow for the user-related behaviour and data (authentication, properties, roles, groups, etc.) to be obtained from content within a Plone site. It does not actually provide a full member implementation, it is intended to be a set of tools from which a full implementation can be constructed. It is meant to be flexible and pluggable, and easy to adapt to different deployment scenarios. It is not meant to be configured through-the-web-only, but to be adapted by filesystem code.

membrane tries to take a step backwards and re-think some of the Plone membership-handling. We have tried to make it as simple as possible, so that grasping and extending it is simple. Hopefully, simplicity should also make it easier to make sure it is secure.

For announcement, help, or to keep up with development discussions, see the poorly named “remember” list:


membrane is a product to enable users as content in Plone sites, in collaboration with PlonePAS. The name gives you an idea of the intended complexity and amount of code.

membrane won’t be the only member handling product in your site, instead it should enable us to easily plug in products that enable default Plone member policy, or more exotic setups in corporate intranets. This means that to get the default Plone behaviour you will need something else in addition to membrane.


  • Plone 3.3 or better


Currently, a catalog is used to index the interfaces implemented by the objects in the portal. However, interfaces are specified programmatically, either via Python code or ZCML. Any time Zope is restarted, interfaces may have changed, and, if they have, the catalog will have become out of date. Work is under way on a more robust interface lookup solution, but for now if you change the interfaces implemented on any membrane related type or object, you may need to explicitly reindex the ‘object_implements’ interface on the membrane_tool.


2.1.1, 29 November, 2011

  • Made the getUserObject method private for better security. Use portal_membership.getMemberInfo(user_id) when you need something similar in a skin script or template. Or @@pas_member on Plone 4.0+. [maurits]

2.1.0, 15 November, 2011

  • Restored compatibility with collective.indexing 1.8 or earlier. [maurits]

  • Added a normalizer lexicon that does case normalization. getUserId and getUserName are the only places where case sensitivity makes sense in searches. Title and SearchableText needs normalization. [tesdal]

  • Fixed a bug where only user objects and not groups would be indexed if collective.indexing could be imported. Also added a missing check of of portal_type against listMembraneTypes before performing re/un/indexing. [tesdal]

  • Add compatibility with collective.indexing 2.0a1. [hannosch]

2.0.2, 26 April, 2011

  • In the unindexObject patch when collective.indexing is used, when the object is no membrane object, try to unwrap it, as it may be a PathWrapper around the object, wrapped by collective.indexing. Without this, stale brains may be left in the membrane_tool catalog, at least when using dexterity objects as members. [maurits]

  • Changed the test setup so the tests also work on Plone 4.1, next to Plone 4.0 and 3.3. [maurits]

2.0.1, March 11, 2011

  • Add an upgrade step to handle cases where meta_type for the SearchableText step has been rewritten to “Broken Because Product is Gone” which would cause the 2.0 upgrade step to not migrate the index. [cah190]

2.0, March 9, 2011

  • Add an upgrade step to migrate from membrane 1.1 releases. [cah190]

2.0b2, September 20, 2010

  • Fix username/userid error in the PAS users plugin: doChangeUser takes a userid as parameter, not a username. [wichert]

2.0b1, August 31, 2010

  • Apply the collective.indexing profile when it is available. [maurits]

  • Removed the dependency on collective.indexing >= 1.1 as it was added to allow non-Archetypes content to be used, but it is giving problems with some normal Archetypes content. If you add collective.indexing to your buildout yourself, we still use it and register our own catalog queue processor with it. Please install it in your Plone Site yourself. [maurits]

  • Bug fix: when asked to return a maximum number of users, convert max_results to an integer. [maurits]

  • Remove deprecated workflow state category set status mapper. This should be implemented using a workflow based test in an IMembraneUserAuth implementation, not in the core Membrane code. [rossp, wichert]

  • Fix performance problems with the object_implements index using marker interfaces registered as utilities. [rossp]

    The object_implements index used to use the ZCA to find out not only what interfaces an object provided, but what interfaces an object could be adapted to out to the second order (adapting two objects). Providing this degree of magical awareness proved to be a large performance problem.

  • Remove BBB method to migrate the list of membrane types from archetypes_tool to membrane_tool. [rossp]

  • Use ZCTextIndex for the SearchableText index. This fixes problems with unicode data. [wichert]

  • Modify the property plugin to handle property adapters returning None and pure dictionaries. Even though the PAS interface does not allow it this is common behaviour. [wichert]

  • Use collective.indexing to update the membrane_tool catalog data. This allows non-Archetypes content to be used. [wichert]

  • Refactor PAS plugins to only depend on the generic interfaces. This removes the dependency on Archetypes. [wichert]

  • Use plone.indexer to manager indexable attribuets. [wichert]

  • Update GenericSetup import handler to gracefully handle sites without a membrane_tool installed. [wichert]

  • Improve package description, RESTify the changelog. [wichert]

  • Move GenericSetup profile and step registration to zcml. [wichert]

1.1b5 Released March 23, 2009

  • Fix git based release problem, now using setuptools-git [hannosch]

1.1b4 Released March 20, 2009

  • Tested with Plone 3.0-3.2 [rossp]

  • Add a warning about upcoming changes to object_implements [rossp]

  • Deprecate the category mapper support [rossp]

  • Deprecate AT assumptions [rossp]

  • Provide the offending login name when more than one match [witsch]

  • Fix AttributeError bug when the search term is None [claytron]

  • Distinguish btn substring matches and case-insensitive matches for userid and username when supporting case-insensitive logins [rafrombrc]

  • Only use the membrane user factory plug-in for users for whom membrane provides authentication. [rafrombrc]

1.1b3 Released July 23, 2008

  • Fix issue with retrieving unnamed user adders. [witsch]

  • Remove counter again as the membrane tool inherits from Plone’s catalog tool, which already has support for a counter. Keep the test and caching helper, though. :) [witsch]

1.1b2 Released July 22, 2008

  • Add a counter to the membrane tool which can be used as a cache key as well as a convenience helper for quickly memoizing adapters and tools. [witsch]

  • Have rolemanager and groupmanager search for exact userids. [mj]

1.1b1 Released May 22, 2008

  • Initial egg release. [rafrombrc]

  • removed deprecation messages in Plone 3.0 (Zope 2.10): Import of turned into zope.annotation [jensens]


  • Introduced IUserChanger interface to separate the password changing from the user addition and deletion portions of IUserManagement. [rafrombrc]

  • Completed general implementation of roles, groups, properties plugins. [rafrombrc, jhammel, rmarianski]


  • Added a IUserManagement interface (from PlonePAS) to the usermanager. It will be available to implementations that provide the corresponding IMembraneUserManagement interface directly or through adaptation. This allows thing like PasswordResetTool to work.

  • Renamed package to ‘membrane’ from ‘Membrane’ to reflect current standard python naming conventions. [rafrombrc]

  • Major refactoring to use Zope 3 component engine to glue together all the pieces. Mix-ins have been converted to adapters, providers are defined by implementation of specific interfaces. [rafrombrc]


  • Made Title in membrane_tool a ZCTextIndex too, so that enumerateGroups() of membrane_groups works without exact_match.

  • getUserName and getUserId indexes in membrane_tool are now of type ZCTextIndex, allowing us to do exact_match=False queries in MembraneUserManager.enumerateUsers.

    PluggableAuthService.enumerateUsers recommends treating id and login as “contains” search tokens, but with our text index we can only do “starts with” searches. However, that’s much better than returning () for every call that has “exact_match=False”. [dpunktnpunkt]

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Products.membrane-2.1.1.tar.gz (123.8 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page