Skip to content

feat: Kimug Authenticated Users role and grant it to plugin-created u…#30

Merged
remdub merged 2 commits into
mainfrom
WEB-4448
Jun 23, 2026
Merged

feat: Kimug Authenticated Users role and grant it to plugin-created u…#30
remdub merged 2 commits into
mainfrom
WEB-4448

Conversation

@remdub

@remdub remdub commented Jun 23, 2026

Copy link
Copy Markdown
Member

…sers

WEB-4448

Summary by CodeRabbit

  • New Features
    • Introduced the “Kimug Authenticated Users” role and automatically grant it to users created by the plugin.
    • Added a 1006 → 1007 upgrade to grant the role to existing plugin-created users.
    • Granted the role permission to access Plone REST API vocabularies.
  • UI Updates
    • Updated the User Listing interface to show the new role in the user management overview.

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0c09f48c-d2d7-4165-9cf6-ff36c530bb5e

📥 Commits

Reviewing files that changed from the base of the PR and between 660a3bc and 5ec662f.

📒 Files selected for processing (2)
  • src/pas/plugins/kimug/plugin/__init__.py
  • tests/conftest.py
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/pas/plugins/kimug/plugin/init.py

📝 Walkthrough

Walkthrough

Adds a KIMUG_AUTHENTICATED_ROLE = "Kimug Authenticated Users" constant to the plugin, grants it to users in _ensure_user_exists, registers the role in the default GenericSetup rolemap with a vocabulary permission, wires a 1006→1007 upgrade step that back-fills the role to existing @kimug.be users, and updates tests and the changelog.

Changes

Kimug Authenticated Users Role

Layer / File(s) Summary
Role constant and GenericSetup profile registration
src/pas/plugins/kimug/plugin/__init__.py, src/pas/plugins/kimug/profiles/default/rolemap.xml, src/pas/plugins/kimug/profiles/default/metadata.xml
Defines KIMUG_AUTHENTICATED_ROLE, registers the role and the plone.restapi: Access Plone vocabularies permission mapping in the default rolemap, and bumps the profile version to 1007.
Role granting on user creation
src/pas/plugins/kimug/plugin/__init__.py, tests/plugin/test_plugin.py
_ensure_user_exists calls api.user.grant_roles with KIMUG_AUTHENTICATED_ROLE after user creation; exceptions are caught and logged. New test verifies role presence after _ensure_user_exists.
1006→1007 upgrade: ZCML, upgrade profile, and handler
src/pas/plugins/kimug/upgrades/configure.zcml, src/pas/plugins/kimug/upgrades/profiles/1006_to_1007/rolemap.xml, src/pas/plugins/kimug/upgrades/__init__.py, tests/upgrades/test_upgrades.py
Registers the upgrade_1006_to_1007 GenericSetup profile and upgradeSteps block in ZCML, provides the upgrade rolemap.xml, implements grant_kimug_authenticated_role to back-fill the role to @kimug.be users, and tests both the grant and no-op paths.
Setup tests, UI column test, changelog, and test infrastructure
tests/setup/test_setup_install.py, tests/view/test_usergroup_userprefs.py, CHANGES.md, tests/conftest.py
Updates version assertion to 1007, adds role registration test, updates user-listing header assertions from 8 to 9 with sorted comparison, documents the change in the changelog, and resets the OIDC plugin allowed_groups in the test fixture to prevent environment pollution from developer settings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

  • bsuttor

Poem

🐇 A new role has hopped into the warren today,
"Kimug Authenticated Users" — hip hip hooray!
We grant it on creation, we back-fill the rest,
The upgrade step runs, passing every test.
The rolemap is tidy, the ZCML aligned,
A fine new permission for kimug.be-kind! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: introducing a new 'Kimug Authenticated Users' role and granting it to plugin-created users, which aligns with the PR's core objectives and all file changes.
Docstring Coverage ✅ Passed Docstring coverage is 92.31% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch WEB-4448

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
src/pas/plugins/kimug/plugin/__init__.py (1)

405-410: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Preserve traceback when role granting fails.

Line 407 intentionally catches broad exceptions, but logger.error(..., e) drops stack context. Use logger.exception(...) so production diagnosis is actionable while keeping the same fail-open behavior.

Proposed patch
-        except Exception as e:
-            logger.error(
-                "Could not grant %s to %s: %s", KIMUG_AUTHENTICATED_ROLE, userid, e
-            )
+        except Exception:
+            logger.exception(
+                "Could not grant %s to %s", KIMUG_AUTHENTICATED_ROLE, userid
+            )
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pas/plugins/kimug/plugin/__init__.py` around lines 405 - 410, The
exception handler around the api.user.grant_roles() call uses logger.error(),
which drops the stack traceback context and makes production debugging
difficult. Replace the logger.error() call with logger.exception() in the except
block that catches the exception from api.user.grant_roles(). This will preserve
the full traceback while keeping the same fail-open behavior and log message
content.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/pas/plugins/kimug/upgrades/__init__.py`:
- Around line 62-64: The email domain suffix check using endswith("`@kimug.be`")
is case-sensitive and will not match email addresses with uppercase domain
variations like user@KIMUG.BE. Fix this by converting the email to lowercase
before performing the endswith check, ensuring all case variations of the
kimug.be domain are properly matched and users receive the
KIMUG_AUTHENTICATED_ROLE.

---

Nitpick comments:
In `@src/pas/plugins/kimug/plugin/__init__.py`:
- Around line 405-410: The exception handler around the api.user.grant_roles()
call uses logger.error(), which drops the stack traceback context and makes
production debugging difficult. Replace the logger.error() call with
logger.exception() in the except block that catches the exception from
api.user.grant_roles(). This will preserve the full traceback while keeping the
same fail-open behavior and log message content.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 75dba59d-19e6-4354-8754-c362ebb88159

📥 Commits

Reviewing files that changed from the base of the PR and between 0cc9766 and 660a3bc.

📒 Files selected for processing (11)
  • CHANGES.md
  • src/pas/plugins/kimug/plugin/__init__.py
  • src/pas/plugins/kimug/profiles/default/metadata.xml
  • src/pas/plugins/kimug/profiles/default/rolemap.xml
  • src/pas/plugins/kimug/upgrades/__init__.py
  • src/pas/plugins/kimug/upgrades/configure.zcml
  • src/pas/plugins/kimug/upgrades/profiles/1006_to_1007/rolemap.xml
  • tests/plugin/test_plugin.py
  • tests/setup/test_setup_install.py
  • tests/upgrades/test_upgrades.py
  • tests/view/test_usergroup_userprefs.py

Comment thread src/pas/plugins/kimug/upgrades/__init__.py
@remdub remdub merged commit e8c9718 into main Jun 23, 2026
8 checks passed
@remdub remdub deleted the WEB-4448 branch June 23, 2026 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant