Setup a Plone 3 site with public and restricted content

Purpose

This note explains how to setup your Plone 3 site so that some content is accessible by anonymous users, other content is only accessible logged in users, and other content is only accessible members of specific groups. No add-on products, or special instructions to end users are needed. Workflow and local roles are used.

Case Example

The step by step instructions are for a site with the following requirements:

• by default, material is only accessible to logged in users
• some material should be accessible to people who are not logged into the site
  
• restricted content must not be available to regular members or anonymous users (including through search)
• regular users must not be made aware that restricted areas exist on the website
  
• end users cannot be expected to follow any special instructions after creating content

Other requirements can be met by altering the steps below. The steps shown are meant to be a simple example.

In this example, I use the Intranet/Extranet Workflow that comes with Plone 3. It defines 3 states for web content that can be used to define different levels of access for folders (and their contents). A 4th state is used, the default state, which acquires the permissions of the folder it is within.

• Internally published: this is the state for content that is to be accessible by members only
  
• External: this is the state for content accessible also by anonymous users (ie. those not logged in)
• Private: this is the state that will be used for restricted access areas - only members of specific groups will be able to access
• Internal: this is the default state of any new material, it acquires the access permissions of its parent folder
  

Step by step

Step 1: Choose workflow

• Go to Site Setup -> Plone configuration -> Types
• If "Intranet/Extranet Workflow" is not the current workflow, choose that workflow and apply changes, and wait
  

Step 2: Modify workflows by type

• Go to the Zope Management Interface (Site Setup -> Plone configuration -> Zope Management Interface)
• Click on portal_workflow
• At the bottom of this page, enter the Default workflow: intranet_workflow [should already be that way]
  
• For File enter (Default)
• For Document enter (Default)
• For Folder enter (Default)
• Click the button labeled "Change"

Step 3: Modify the workflow permissions

• From portal_workflow,click on the Contents tab
• Click on intranet_workflow
• Click on the States tab
• Click on the internal state (it should have an asterix indicating it is the default state)
• Click on the Permissions tab
• Change the settings so it matches the figure below. As you can see, anonymous users and members will only have access to material if they acquire that privilege from its container.
  
  
  
  
  

• Click on the button labeled Save Changes

• Click on the button labeled Save Changes and click on portal_workflow in the path shown at the top to go back four levels. The other states should be left as they were originally defined.
  
• Important: Click on the button labeled Update Security Settings. This will apply the settings you made to all existing files and folders. New files and folders will have these settings applied when they are created.

Step 4: Setup folders for content

• To keep things organized, material should only be placed in folders, not in the root of the plone site. Create the top level folders with the plone interface to give your site some organization. Decide which are to be open, open to members, and open only to certain members. The folders should be put into the corresponding external, internally published, and private states respectively. Do this through the plone interface, either within the contents view or by using the element labeled State in the green bar.
  
• You can authorize members or special groups to add or modify content within folders by clicking on the sharing tab, and selecting the appropriate options.
  
• Note that internal files in the root of the plone instance (index_html, for example) will be accessible by anonymous.
• As material is added into the folders, by default they will have the internal state, giving them the same access as their parent folder. If needed, individual elements can have their access changed to one of the three other states with definitive access (external, internally published, or private).
• Internal files and subfolders in a private folder will not be accessible by regular users. To allow a group of members to have access, you must create a group, then give that group the manager role for that folder, as follows:
• Go to Site Setup -> Plone configuration -> Users and Groups
• Click on the Groups tab, and create a new group. No need to give any special role to the new group.
• Add the set of members that need to access a private folder. Note you can setup several groups each having access to different sets of private folders.
• Within plone, find the private folder that you want to allow group access
• Click on that folder, and then on the Sharing tab
• Enter the name of the group in the search box, and give that group the special permissions.

Step 5: Setup tabs for private folders

If a common home page is used for all members, there should be no links to private folders on the page - as they will only work for members of the groups that have access to them. Instead, tabs can be used so that they appear only for those that have access to the private folders. In Plone 3, the default is to show a tab for all folders that are accessible to the member. This may generate too many tabs for your users, so to limit the number of tabs one has to setup the tabs by hand as follows:

• Go to Site Setup -> Plone configuration -> Navigation
• Uncheck the box labeled: Automatically generate tabs
• Go to the Zope Management Interface
• Click on portal_actions
• Click on portal_tabs
• Click the Add button on the upper right to add a new CMF action
• Enter the following information (elements with underscore to be replaced with appropriate names)
  
• Title: the title that you want to appear in the tab
• URL: string:${globals_view/navigationRootUrl}/restricted_folder_name
• Condition: python: member and (member.id in here.portal_groups.getGroupById('group_name').getAllGroupMemberIds())
• Permissions: click on View here... not sure what this is for!?
• Click on the button labeled "Save Changes"

Step 6: Remove Searchbox for anonymous users

If you don't want anonymous users using the plone search feature on your site, you can do the following:

• Go to the Zope Management Interface
• Click on portal_view_customizations
• Click on plone.searchbox near the bottom of the list
• Click on customize
  
• Add to the end of the first line: tal:condition="python:user.has_role('Member')"