Check admin permissions

[njohner]

Several issues have popped up for a customer because Administrators did not have the permissions to do certain actions (see for example https://extranet.4teamwork.ch/support/gemeinde-muri-guemligen/tracker/9). It seems that for other deployments we have simply also given Editor role to the admin group. I've decided instead to have a look at what permissions the Administrator might be missing.
I checked which permissions an Editor or Contributor has that an Administrator does not (apart from those that I have just fixed, i.e. create keywords and deactivate dossiers):

Things and Editor can that an Administrator cannot:

In opengever_inbox_mail_workflow/definition.xml:

CMFEditions: Access previous versions

In opengever_document_workflow/definition.xml

CMFEditions: Apply version control
CMFEditions: Checkout to location
CMFEditions: Manage versioning policies
CMFEditions: Purge version
CMFEditions: Revert to previous versions
Change portal events

In opengever_inbox_document_workflow/definition.xml

CMFEditions: Apply version control
CMFEditions: Checkout to location
CMFEditions: Manage versioning policies
CMFEditions: Purge version
CMFEditions: Revert to previous versions
Change portal events

Things that a Contributor can and an Administrator cannot:

Global permissions:

plone.restapi: Use REST API
plone.restapi: Access Plone vocabularies

In opengever_dossier_workflow/definition.xml

opengever.meeting: Add Proposal
opengever.meeting: Add Proposal Comment

In opengever_inbox_workflow/definition.xml

opengever.inbox: Scan In

In opengever_templatefolder_workflow/definition.xml

opengever.meeting: Add Sablon Template

In opengever_inbox_mail_workflow/definition.xml

CMFEditions: Access previous versions

A few other global permissions that the administrator does not have

Except Add disposition the others have a specific role covering them

opengever.disposition: Add disposition
ftw.tokenauth: Impersonate user
ftw.tokenauth: Manage own Service Keys
opengever.webactions: Manage own WebActions
opengever.workspaceclient: Use Workspace Client

Proposed permissions changes

The only ones that I feel could lead to issues are the global permissions. So I'd give the following permissions to the Administrator

plone.restapi: Use REST API
plone.restapi: Access Plone vocabularies

Probably not the others

Script used

import glob
import lxml.etree as ET

role1 = "Editor"
role2 = "Administrator"

filenames = glob.glob("opengever/core/profiles/default/workflows/*/definition.xml")
for filename in filenames:
    doc = ET.parse(filename)
    print filename
    for element in doc.xpath('//*[text()="{}"]'.format(role1)):
        parent = element.getparent()
        if not parent.xpath('*[text()="{}"]'.format(role2)):
            #print parent.tag, parent.items()
            print parent.get("name", "bla")

filename="opengever/core/profiles/default/rolemap.xml"
doc = ET.parse(filename)
print filename
for element in doc.xpath('//*[@name="{}"]'.format(role1)):
    parent = element.getparent()
    if not parent.xpath('*[@name="{}"]'.format(role2)):
        print parent.tag, parent.items()

[deiferni]

If we just want to tweak single permissions:

• The CMFEditions: Revert to previous versions could be a problem for document versions, i'd say all the CMFEditions things for documents should be looked at.
• the opengever.meeting things should be possible for an Admin. we should add them.
• we should also probably add opengever.inbox: Scan In as it may be likely that pure admins help debug scanner setups

We should also discuss: why have diverging permissions for admins and other roles that should be supported by admins? Would it be better to always ensure that Admin and [insert roles that make sense here] have the same set of Permissions?
We could convert above script into a test to make sure we don't forget to update Admin in the future.