Users, Authentication, and Permissions

In This Section...

General

Adding a custom permission to a product
Using rolemap.xml to create new Roles is easy, you can add predefined permissions to your new roles. But what if you want to define a new permission for your product? Use setDefaultRoles.
Create different restricted areas in the Control Panel
Here we describe how to programatically protect different elements of the Plone Control Panel with different permissions, so you can grant e.g. access to the Calendar configlet but not to the Add-ons one.
Hardening Plone
This document describes how to secure your Plone site. It is based on a use case of a high-security project, that has been audited by professional security auditing companies. Both companies have approved the Plone site and underlying infrastructure. The implementation was granted a certificate from certifiedsecure.eu.
Login Redirect Problems from Bad ACTUAL_URL
When you're prompted to log in to access something on your site, your redirect doesn't work and you have VirtualHost stuff in your ACTUAL_URL

Active Directory and LDAP

ActiveDirectory with read and write functionality
Plone supports ActiveDirectory authentication out of the box, but not writing to it. This is a complete example with screenshots and monkey patches to accomplish that. It shows how to completely move storage of users, groups and roles to ActiveDirectory.
Authenticating With Active Directory
How to make Plone authenticate against Active Directory Using PlonePAS
Authenticating with Active Directory
How to make Plone authenticate against Active Directory. (document needs updating because Plone 2.5.x uses PlonePAS instead of GRUF)
Authentication of Plone 2.5 (Zope 2.9) against a Windows 2003 Active Directory
Describes how to setup Plone 2.5 running on Zope 2.5 (using Python 4.0)to authenticate against Active Directory on Windows 2003
Authentication of Plone 2.5 (Zope 2.9) against a Windows 2003 Active Directory
Description of setting up Plone to authenticate against Windows
Howto configure plone programmatically
This tutorial explains how to configure users/groups from ldap and how to set roles programmatically... You can save time putting the code of this tutorial into your own customization policy or in your ExternalMethods and you'll get your plone site perfectly configured.
LDAP Authentication with Plone (versions 2.1.x and 2.0.x only and NOT 2.5 or later)
Here are some general tips on how to get Plone versions 2.1.x or earlier working with LDAP authentication. This is NOT RELEVANT to Plone 2.5 or later (using PlonePAS)
Minimal Single Sign On for Plone using Kerberos
This howto describes the minimal steps required for Single Sign On (SSO) for your Plone site, using the credentials you used for logging in to your machine.
Plone 2.5 and OpenLDAP Integration for Users and Groups
How to have your Plone 2.5 site read from and write to your OpenLDAP Directory for users and groups on a Linux server
Setting up Plone 3 to Authenticate Using Active Directory
A not-so short how-to on using the current PloneLDAP plugins to get things going with Active Directory.
Single Sign On In Windows Domains
This HowTo tells you how to integrate Zope, Plone and Apache in a Windows domain such that domain users are automatically logged into Plone. It's also a tutorial about getting Zope/Plone to run behind an Apache web server using FastCGI.
Single Sign On with Active Directory
This will show how to install Plone on a fresh install of Debian 5 that will authenticate with Active Directory for a single sign on (SSO) using either kerberos or mod_ntlm2 for authentication. This site will be an intranet with apache2 in front of the Plone site over SSL.
Using LDAP and Active Directory
How to use LDAP and Active Directory to manage your users.
Using LDAP in Windows
Active Directory Authentication via LDAP - for win32. This document needs updating to reflect use of PlonePAS instead of GRUF with Plone 2.5.x

Login Authentication

A visual reference of Plone privileges management
Construction of a map, step by step, that shows each of the Plone content security mechanisms and ultimately how they relate to each other.
Authenticate users from PostgreSQL using SQLUserFolder
How to use SQLUserFolder to authenticate Plone users from a remote PostgreSQL database.
Close site so people can't add themselves as users
How to close the site so that users can't sign themselves up.
Fix broken login form
You're running Plone 2.5 or higher and your log-in form is a naked page with just a form saying "Please log in" that doesn't even redirect correctly?
How To Setup SQLPASPlugin to Authenticate Against A PostgreSQL Database
Documents the setup of SQLPASPlugin for SQL based authentication in Plone 2.5, using PostgreSQL.
Implementing Single Sign-On
Single sign on using pub cookie and mod auth tkt
Make Plone more secure: Disabling Base64-encrypted cookies with SessionCrumbler
By default, Plone creates a Base64-encrypted cookie that stores your password whenever you login. Here is a different approach that uses sessions instead of cookies for login data.
Minimal Single Sign On for Plone using Kerberos
This howto describes the minimal steps required for Single Sign On (SSO) for your Plone site, using the credentials you used for logging in to your machine.
Reset a password (without having to email one to the user)
This procedure uses the Zope Management Interface, You must have access to the Zope Management Interface to be able to do this procedure.
Resetting User Passwords through Plone Interface (not ZMI)
So that you don't have to expose/subject your site adminstrators to the Zope Management Interface in order to reset user passwords, this How-To explains the process of resetting a user password by using the Plone (Site Setup) interface only.
Secure login without plain text passwords
By default, plain text usernames and passwords go over the wire for both initial login and the subsequent cookie authentication. This how-to shows a safer alternative.
Setting up Plone 3 to Authenticate Using Active Directory
A not-so short how-to on using the current PloneLDAP plugins to get things going with Active Directory.
Using unauthorized modules in scripts
How to authorize scripts and other secure context to use external (unauthorized) Python code, then call this code from page templates

Permissions & Authorization

Setup a Plone 3 site with public and restricted content
A relatively simple scheme for setting up your Plone 3 site with public (ie. anonymous), member, and restricted access.
Understanding permissions and security
Plone uses a combination of low-level Zope permissions, roles, local roles and workflows to manage permissions on objects. Understanding these will help you manage how, and by whom, your Plone site is accessed.
Adding a "Sharing" action-tab to your product/type
Two methods for adding a "Sharing" action-tab to your Plone product or item type.
Adding new roles to the Sharing Page
Explains how to add other roles to the set of managed roles at Plone 3 sharing tab.
Allowing Anonymous Users to Add Content
I had the need for Anonymous Plone users to add, edit, and save a specific content type in a specific location (folder) and couldn't find any resources, thus this quick HowTo.
Anonymous adding of unpublished content
This howto is about customizing an archetype content to let anonymous users add content, but not be able to view what has already been added.
Creating a private Plone site
How to make your site only accessible to logged-in users.
Enable editing for anonymous users under certain conditions
Sometimes due to convenience it is necessary allow content editing for anonymous users. One use case is allow anonymous review and feedback in certain workflow states. This how to explains how this can be achieved.
Ensure that deleted users can not re-register and gain control of their previouis folders
You may want to be able to delete naughty users from your site, but keep any content they may have created... However, default behaviour allows the users to re-register with the same user name and regain their existing folder. This fix stops that...
Grant Collection (ATTopic) permissions to contributors and editors
Out of the box, contributors and editors do not have the rights to manage Collections (topics, smart folders). This howto provides a genericsetup rolemap that makes Collections manageable just like other content.
Listing all permissions in the site
In the ZMI's "Security" tab, at the top level, you will see a list of all permissions in the site, and who has access to them. This how-to describes how to get a script to make a list of these permissions.
Removing things from the portal view for anonymous visitors
How to remove some features from the default "home page" view of your portal for anonymous visitors - but ensure they reappear once logged in.
Resetting User Passwords through Plone Interface (not ZMI)
So that you don't have to expose/subject your site adminstrators to the Zope Management Interface in order to reset user passwords, this How-To explains the process of resetting a user password by using the Plone (Site Setup) interface only.
Sharing Editing Capabilities for Pages and Folders
This describes how to give a user of your site editing privileges of particular folders or pages.
Show or hide a tab based on IP address
Shows you how to show or hide a portal tab based on the client IP address. Useful for intranet environments.

User Management

Adding new roles to the Sharing Page
Explains how to add other roles to the set of managed roles at Plone 3 sharing tab.
Batch-adding Users to Plone using CSV (Excel) files
How to import/create new users from CSV- a.k.a. Excel-files
Change the title of the Members folder
How to change the title of the "Members" folder
Converting single user Plone site to multiuser review based CMS site
One might want to convert an existing single user Plone site to real CMS where people can submit content and it has to be reviewed. This how to gives guidance to achieve the goal.
Creating your own Custom Member Content-types with Archetypes and ReMember
This tutorial teaches you how to create your own custom site membership product.
Export member data to CSV
A quick step by step on exporting your Plone member data as a comma separated file.
How to create default content in Member Area
Each member gets a member area created when they first log in. How to get certain content put in this folder by default?
Making a custom folderish type act as the member folder
This tutorial explains how to create your own portal_membership tool in order to override the creation of the member folder. Be warned: this tutorial is not for the faint hearted, but for advanced plone programmers.
Reset a password (without having to email one to the user)
This procedure uses the Zope Management Interface, You must have access to the Zope Management Interface to be able to do this procedure.
Resetting User Passwords through Plone Interface (not ZMI)
So that you don't have to expose/subject your site adminstrators to the Zope Management Interface in order to reset user passwords, this How-To explains the process of resetting a user password by using the Plone (Site Setup) interface only.
Use Groups for Collaborative work
This How-to describes one way to use GRUF and Group spaces to carry out collaborative work. Using GRUF makes Plone into a powerful collaborative working environment.

Workflow

Setup a Plone 3 site with public and restricted content
A relatively simple scheme for setting up your Plone 3 site with public (ie. anonymous), member, and restricted access.
Adding user input into a Workflow
(this may have been abandoned)
Change state recursively in a workflow transition
When transitioning a folderish object, transition all children objects automatically.
Creating objects with workflow state of parent object
In this how-to one possible solution is shown for how to set newly created objects to the state of their parent object.
Creating Workflows in Plone
This documentation explains the purpose of the DCWorkflow product and how to make use of it. DCWorkflow is a CMF Product for Zope, and Plone's workflows are built using it.
Disabling workflows site-wide
How to disable workflows if you don't need them for your site.
Displaying only published items in folder listings to anonymous users.
If you don't do this, Plone's folder listing option will display both visible and published items to anonymous users.
eMail upcoming events to plone group
a python script to notify all members of a Plone group of upcoming events via email
Enable editing for anonymous users under certain conditions
Sometimes due to convenience it is necessary allow content editing for anonymous users. One use case is allow anonymous review and feedback in certain workflow states. This how to explains how this can be achieved.
Fixing Workflow States (a real-life example)
When workflows get confused, content items get reset to the default state. If you have a backup or a QA server, you can restore the correct workflow states.
Implement edit-view modes
Make it possible for users to show and hide the editable border and content tabs from a standard Plone site.
Make a complete folder structure private
This how-to summarizes the steps needed to make all elements below a private folder private.
New workflows in Plone 3
Plone 3 ships with a set of new workflows giving site administrators more choices when managing the ways their users interact with site content.
Partitioning your site with different access rules using custom workflows
This How To explains the necessary steps to partition your site, using a custom workflow, so that the same content types have seemingly different access rules based on where the content is within the site.
Restricting access to transitions using groups
Use portal groups to decide who can perform certain transitions
Send announcements from workflow
Shows how to send email announcements to members when workflow states are altered.
Send emails to users to remind them of expiring content
To keep my site fresh, I have a workflow action that sets ExpirationDate to now + 31 days. This how-to shows a way to send emails in advance of the item expiring.
Send mail on a workflow transition
Shows how to send an email when a workflow transition is triggered, for example to notify content owners that their document has been rejected.
Setting permissions with workflow
Describes how to alter object permissions based on workflow states.
Sharing Editing Capabilities for Pages and Folders
This describes how to give a user of your site editing privileges of particular folders or pages.
Time based workflow transitions
How to make workflows to do something based on time
Workflow with multiple approvals required
A custom workflow that requires a number of approvals of a document for it to be published.