Restricting access to folders with "shared" users

How to set access to a particular folder for a "collective" user - that is, viewing published content in this folder requires logging in under a shared username/password.

How to set access to a particular folder for a collective user

Overview

I wanted to restrict access to the contents in the published state to a group of users who would need to log on to the site under a common user id and password (Specifically, the anonymous user would not be allowed to see the contents). The restrictions would apply to the contents stored in a particular folder.

There are at least two solutions possible. The first one, simpler, relies on a modification of the existing workflow. The second, more elaborated (based on a suggestion from Dominic Hiles), uses a new workflow definition and new types of contents assosiated with the new workflow. In this version, we also simplified Plone's default workflow scheme, replacing it with a simple workflow with two states only - private and published.

Solution I.

The procedure takes two steps:

  • defining a group user id, a password, and an appropriate local role
  • changing the default Plone workflow

Creating a new role and a group user

This part starts with introducing a new user-defined role. This role can be defined at any place in the server hierarchy, i.e. may be server-wide, a particular Plone site-wide, or restricted to objects contained in any of the Plone folders.

  • In the ZMI, select the appropriate place: the root directory, any of your Plone sites, or a folder. A list of objects should show up in the right window. Now choose the Security tab. A rather lenghty table of permissions should appear.
  • At the very bottom of the permissions table you will notice an editbox entitled "User defined roles". Enter any name (e.g. "Guest") and add the new role.
  • Go to either the root directory, your Plone portal or a folder in the ZMI (in the latter case, this folder should contain acl_user object - if it does not, you should add User Folder using the listbox), and select acl_users from the dropdown list; then choose Contents tab on the list of users.
  • Add a new user id
  • Click on the newly created user item, enter password and choose the role ("Guest") you have created earlier for this user.

Changing workflow permissions

  • In the ZMI, go to your Plone site, then select portal_workflow
  • Choose the Contents tab
  • Copy and paste the item plone_workflow, then rename it (e.g. modified_plone_workflow"). The original plone_workflow will remain intact.
  • Choose the Workflows tab, change the (Default) item from plone_workflow to modified_plone_workflow.
  • Choose the Contents tab
  • Click on the modified_plone_workflow
  • choose the States tab
  • Click on the published state
  • Select Permissions tab
  • Uncheck any permissions given to Anonymous. Under Acquire, Access contents information and View should be left checked.
  • Repeat the last two steps for the visible and pending states.

Solution II.

The procedure takes four steps:

  • setting the workflow
  • defining a group user id, a password, and an appropriate local role
  • creating new contents objects, and associating the new workflow with them
  • creating a folder, and setting access permissions to it.

Setting the workflow

  • in the ZMI, go to your Plone site, then select portal_workflow
  • choose the Contents tab.
    either:
    copy and paste the item plone_workflow, then rename it (e.g. "simple_workflow"),
    or
    press Add Workflow button, select plone_workflow, name it (e.g. "simple_workflow"), click on Add

    • You have now created o copy of the default Plone workflow, which is to be modified now. This workflow involves four states (private, visible, pending and published), while we need only two (private & published). Next, transitions and permissions have to be changed, too.

  • Select States tab, and delete visible and pending states. Make the published the initial state.
  • Click on the private state, change checkboxes so that only the publish would be checked. Save changes. Get back to the states.
  • Click on the published state, change checkboxes so that only the hide would be checked. Save changes.
  • While still in the published state editing, select Permissions tab. Uncheck all the permissions for the anonymous user. Under Acquire, leave Access contents information and View checked only. Check all the permissions for the Manager, and Access contents information and View for the Owner.
  • Get back to the States
  • Click on publish or select the Transitions tab and click on publish there.
  • Change the title to "Owner publishes content".
  • Get back to your workflow (simple_workflow), select Transitions tab and remove the unnecessary transitions (reject, retract, show, submit).

Now your simple_workflow has two states: private and published. In the private state, contents will be visible to the Owner only, while in the published state the permissions for accessing and viewing will be acquired from the container object, i.e. the folder.

Creating a new role and a group user

Follow the procedure described in the part 1 of the Solution I.

Creating your contents objects

  • in the ZMI, go to your Plone site, then select portal_types
  • copy & paste the object class (e.g. File), rename the copy (e.g. RestrictedFile)

  • back to portal_workflow, associate RestrictedFile with simple_workflow.

Arranging the container object (Plone folder)

  • log into your Plone site as admin, navigate to the place you want your folder to be contained in, and create a folder (in the navigation box, switch to the contents view, select Folder from the listbox, click add, and fill the form).
  • Go to the ZMI, find your folder and set the appropriate permissions that would be acquired by objects contained in it.

How to remove an acquired local role in a folder/document for a user or group ?

Posted by thomtest at Feb 16, 2005 06:43 PM
Hi,

Thanks for your explanation, but if i want to remove the view privilege to my "restricted document" in a sub folder to some users that have a restricted access in the parent folder, how can i do that ?

in other words how can I break the role acquisition set by folder_localrole_form ?

Unset Acquire Permission Settings

Posted by Norbert Klamann at Apr 07, 2005 03:41 PM
In the Security Tab of the Object and define the Permissions explicitly

How to Share role to user?

Posted by John Kavanagh at Apr 12, 2005 08:31 PM
Why isn't the new 'guest' role a <b>Role to assign</b> in the <code>folder_localrole_form</code>? What do you change so that 'guest' is assignable?

How to make folders accessible for only certain users

Posted by John Kavanagh at Apr 12, 2005 08:40 PM
<a href="http://tomster.org/[…]/a>

Broken link?

Posted by Marco De Vitis at Jul 18, 2005 10:26 AM
Hi, the link in your comment could be interesting, but it doesn't seem to work, currently. It leads to a login request, and I can't find any way to register on that web site.

Here's the link...

Posted by Dan Thomas at Mar 31, 2006 11:02 PM
http://tomster.org/blog/archive/2004/06/20/limited-access/

sorry - I removed the article...

Posted by Tom Lazar at Aug 25, 2006 06:25 PM
...because it had seriously become outdated. As of Plone 2.1.x this is much more easily achieved with the default sharing panel.

parent folder access

Posted by Joerg Maier at Jan 22, 2007 07:30 PM
Hi,

i tried your suggestion, but the problem is: If the folder with restricted access is in another folder, it's "parent folder", then no user (Who is not manager owner or in the group configured for access) can look at the parent folder. How can i give all users access to that "parent folder" without giving them permission to access the restricted folder? There must be a permission to view a folder but not its content. If the restricted folder would be invisible for all users it would be even more nice. So a user does not see a folder and when he clicks on it he gets a permission denied error.

(BTW, i am running plone 2.0.4 from debian sarge, would an upgrade help to simplify the access policies?)

Thanks, Joerg

parent folder access

Posted by Nandita Chakravarti at Jan 31, 2007 07:34 PM
I'm not sure if it's available on the version you are using, but:

In the restricted folder (child folder), click the Sharing Tab, go down to the bottom to Advanced Settings, and unclick Inherit roles from higher levels.

parent folder access

Posted by Joerg Maier at Jan 31, 2007 08:22 PM
Hi nandita,

thanks for your reply. I have already unset the inherit option in the restricted folder. This option is available. Still i have the problem that user who have no permission to see the folder are not allowed to see the parent folder as well. But the parent folder is important so i dont want ordinary users to get an access denied permission when they want to list the content of a folder and a part of this content (a child folder) is restricted.

Regards,
Joerg

security on container object

Posted by Winn King at Mar 04, 2007 11:13 PM
It seems that the permissions you set up in the last step of the tutorial for the folder that's going to contain all the restricted content are lost whenever you click the "update security settings" button in portal_workflow. This results in opening the restricted content to the public. At least this is what happens in Plone 2.1.2. The only way around this problem I can see is to create a new content type based on ATFolder and either create a special workflow for it or give it no workflow at all so that updating security settings will not affect it.