Make a complete folder structure private

by Michael Zimmermann last modified Dec 30, 2008 03:02 PM
This how-to summarizes the steps needed to make all elements below a private folder private.

If a folder is private, but a sub-folder is visible, it will still be possible for anonymous users to find it via a search or access it with a direct URL.

Consider this example: 

  root
  - public folder
  - private folder
    - document 1
    - subfolder
       - document 2

By default the documents document1, document2 and the folder subfolder are visible and can be accessed by anonymous users even if the folder private folder has the state private.

To make subfolders and documents private when a parent folder is private, you need to change the workflow. Instead of assigning the permissions Access contents information and View directly to folders and objects, they must be acquired from the parent.

Changing Plone's default workflow

Here is a detailed instruction to make this change to Plone's default workflow:

  1. Enter the Zope Management Interface (ZMI):
    • Log in to your plone site as administrator.
    • Click on site setup in the bar under the tabs, or navigate directly to the url <my_website_url>/plone_control_panel.
    • Click on Zope Management Interface.
  2. Change the security settings of Plone's default workflow:
    • Click on portal_workflow.
    • Click on the Contents tab.
    • You should see plone_workflow and folder_workflow links. Click on plone_workflow.
    • Click on the States tab.
    • Follow the link called visible (don't just check the box).
    • Click on the Permissions tab.
    • You should now be looking at a table of check boxes, four lines long. Under Anonymous, you'll see two boxes checked (by default): Access contents information and View. Uncheck those two.
    • Make sure the first box on these lines under Acquire permission settings? is checked.
    • Hit the save changes button.
    • Click on portal_workflow in the breadcrumbs and then on the Contents tab. Select the folder_workflow link, and repeat the above steps to modify the folder workflow settings.
  3. Apply the new security settings to existing objects:
    • Click on portal_workflow in the breadcrumbs.
    • Push the button Update security settings (at the bottom of the page).

These changes make all visible objects inherit the permissions from the parent object. I. e. if a parent folder is private, all objects beneath are not accessible by anonymous users.

Learn more about permissions

You can learn more about security in the tutorial on permissions and workflow. A good explanation can also be found in the books The Definitive Guide to Plone and Plone Live.

Filed under: