Skip to main content

A Plone PAS plugin for proxy roles between users

Project description

A PAS plugin for Plone where administrators (or normal users) can delegate their own permissions to other users.


This product will add a role sharing control panel to you site, where a user (the delegator) will be able to proxy his roles to another user (delegate).

While the delegation is active, the delegate will be able to act as the delegator, as he own same roles (both global and local).

Every delegate will also gain a new Delegate role (this role will not be registered in your Plone site, this feature must be activated by 3rd party or manual configuration).

The “Proxy Roles Settings” control panel

The plugin configuration is composed by a sequence of delegator/delegate couples.

Proxy Roles Settings

By default all users can access this panel, with a big difference:

  • Managers and Site Administrators (who own “pas.plugins.proxy: Manage proxy roles” permission) can add and delete roles delegations for all users
  • Other members can only delegate for themself. If you don’t want to give this power to normal users you can just remove the “pas.plugins.proxy: Access proxy roles panel” permission.

Other rules:

  • You can only delegate existings users
  • Cannot cross-delegate (a user can’t be both delegator and delegate of another)
  • A delegator can proxy his roles as many times as he need
  • A user can be delegate of many users


The PAS plugin act also as a group plugin: the delegate will automatically gets all roles given to groups where the delegator is in.

Ask for groups of a delegate will return you also groups of his delegator. Instead: asking for users inside a group will not return users that seems part of the groups thanks to delegation process.

Limitations and Troubleshooting

Rule Number One

The most important thing to know: the plugin works only for currently logged in user (someway similar to the Authenticated Users virtual group): if you query the permissions of a delegate by code you will get nothing. This is not a technical limit but a practical consequence of aggressive cache done by the plugin itself, bringing us acceptable performance.

No inheritance

Delegation works with one-level of inheritance: in user A is delegator of user B, and user B is delegator of user C, C will not get any power from A. This could probably possibile in future (if so: optionally) but there are some implications about performance and avoiding circular delegations loops.

Knowing delegation status

There’s no simple way to know if a user is able to perform an action because he has sufficient permissions or because he get the needed permission thanks to a delegator’s role. Neither the Delegate role can help too much for this, as it’s given every time a role’s proxy is active on the current context.

Limiting plugin effects

As said, this product implements three kind of plugins:

  • local roles
  • global roles
  • groups

…all of them enabled by default. You can freely access ZMI and disable one or more plugins (for example: you could not like the groups propagation effect).


This product was developed by RedTurtle Technology team.

RedTurtle Technology Site


0.1.0 (2015-05-15)

  • Initial release

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for pas.plugins.proxy, version 0.1.0
Filename, size File type Python version Upload date Hashes
Filename, size (89.6 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page