Restricting access to folders with "shared" users

How to set access to a particular folder for a collective user

Overview

I wanted to restrict access to the contents in the published state to a group of users who would need to log on to the site under a common user id and password (Specifically, the anonymous user would not be allowed to see the contents). The restrictions would apply to the contents stored in a particular folder.

There are at least two solutions possible. The first one, simpler, relies on a modification of the existing workflow. The second, more elaborated (based on a suggestion from Dominic Hiles), uses a new workflow definition and new types of contents assosiated with the new workflow. In this version, we also simplified Plone's default workflow scheme, replacing it with a simple workflow with two states only - private and published.

Solution I.

The procedure takes two steps:

• defining a group user id, a password, and an appropriate local role
• changing the default Plone workflow

Creating a new role and a group user

This part starts with introducing a new user-defined role. This role can be defined at any place in the server hierarchy, i.e. may be server-wide, a particular Plone site-wide, or restricted to objects contained in any of the Plone folders.

• In the ZMI, select the appropriate place: the root directory, any of your Plone sites, or a folder. A list of objects should show up in the right window. Now choose the Security tab. A rather lenghty table of permissions should appear.
• At the very bottom of the permissions table you will notice an editbox entitled "User defined roles". Enter any name (e.g. "Guest") and add the new role.
• Go to either the root directory, your Plone portal or a folder in the ZMI (in the latter case, this folder should contain acl_user object - if it does not, you should add User Folder using the listbox), and select acl_users from the dropdown list; then choose Contents tab on the list of users.
• Add a new user id
• Click on the newly created user item, enter password and choose the role ("Guest") you have created earlier for this user.

Changing workflow permissions

• In the ZMI, go to your Plone site, then select portal_workflow
• Choose the Contents tab
• Copy and paste the item plone_workflow, then rename it (e.g. modified_plone_workflow"). The original plone_workflow will remain intact.
• Choose the Workflows tab, change the (Default) item from plone_workflow to modified_plone_workflow.
• Choose the Contents tab
• Click on the modified_plone_workflow
• choose the States tab
• Click on the published state
• Select Permissions tab
• Uncheck any permissions given to Anonymous. Under Acquire, Access contents information and View should be left checked.
• Repeat the last two steps for the visible and pending states.

Solution II.

The procedure takes four steps:

• setting the workflow
• defining a group user id, a password, and an appropriate local role
• creating new contents objects, and associating the new workflow with them
• creating a folder, and setting access permissions to it.

Setting the workflow

• in the ZMI, go to your Plone site, then select portal_workflow
• choose the Contents tab.
  either:
  copy and paste the item plone_workflow, then rename it (e.g. "simple_workflow"),
  or
  press Add Workflow button, select plone_workflow, name it (e.g. "simple_workflow"), click on Add
  

You have now created o copy of the default Plone workflow, which is to be modified now. This workflow involves four states (private, visible, pending and published), while we need only two (private & published). Next, transitions and permissions have to be changed, too.

• Select States tab, and delete visible and pending states. Make the published the initial state.
• Click on the private state, change checkboxes so that only the publish would be checked. Save changes. Get back to the states.
• Click on the published state, change checkboxes so that only the hide would be checked. Save changes.
• While still in the published state editing, select Permissions tab. Uncheck all the permissions for the anonymous user. Under Acquire, leave Access contents information and View checked only. Check all the permissions for the Manager, and Access contents information and View for the Owner.
• Get back to the States
• Click on publish or select the Transitions tab and click on publish there.
• Change the title to "Owner publishes content".
• Get back to your workflow (simple_workflow), select Transitions tab and remove the unnecessary transitions (reject, retract, show, submit).

Now your simple_workflow has two states: private and published. In the private state, contents will be visible to the Owner only, while in the published state the permissions for accessing and viewing will be acquired from the container object, i.e. the folder.

Creating a new role and a group user

Follow the procedure described in the part 1 of the Solution I.

Creating your contents objects

• in the ZMI, go to your Plone site, then select portal_types
• copy & paste the object class (e.g. File), rename the copy (e.g. RestrictedFile)

• back to portal_workflow, associate RestrictedFile with simple_workflow.

Arranging the container object (Plone folder)

• log into your Plone site as admin, navigate to the place you want your folder to be contained in, and create a folder (in the navigation box, switch to the contents view, select Folder from the listbox, click add, and fill the form).
• Go to the ZMI, find your folder and set the appropriate permissions that would be acquired by objects contained in it.