Personal tools
You are here: Home Documentation Tutorials Understanding permissions and security
Support

Get Help

Join our chat rooms or support forums if you have more specific questions.

Plone Training
Learn how to design, build, and deploy a website in Plone through one of the numerous Plone training sessions around the world.
Find Plone training…
 
Document Actions

Understanding permissions and security

This Tutorial applies to: Any version.
This Tutorial is intended for: Site Administrators

Plone uses a combination of low-level Zope permissions, roles, local roles and workflows to manage permissions on objects. Understanding these will help you manage how, and by whom, your Plone site is accessed.

optilude

All content on one page (useful for printing, presentation mode etc.)

  1. Permissions and roles The Zope security model is the first thing you need to understand.
  2. Groups in Plone Plone adds the concept of a group of users to the basic Zope security model. Groups are convenient ways of managing roles (and thus permissions) for a number of users simultaneously.
  3. Local roles and sharing Often, you want to give a user or group specific (usually elevated) permissions in a specific area of your site, but not site-wide. Enter local roles and the 'sharing' tab.
  4. Controlling access with workflows In most instances, workflows, managed via the portal_workflow tool, are the correct way of managing permissions on your content.
  5. Using permissions and workflow in your custom products When you are developing a Plone site, it is usually best to develop your customisations or new content types on the filesystem, as a new Zope product. Setting up workflows programatically using the portal_workflow tool is a bit of a pain, but luckily there are tools to make your life much easier. You also need to ensure you use the correct permission declarations on your objects.
 
by Martin Aspeli last modified August 31, 2007 - 15:30 All content is copyright Plone Foundation and the individual contributors.

Success Following Instructions

Posted by stephenhow at April 25, 2005 - 07:26

I found this tutorial to be extremely helpful, especially the example code for installing the workflow in Install.py. Here's some details of the steps I took to productize my custom workflow:

I installed DCWorkflowDump from the collective using the two commands from my Products/ folder: 

cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/collective login
cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/collective co -P DCWorkflowDump
(more here: http://sourceforge.net/cvs/?group_id=55262)

Then, I designed my workflow following Chapter 8 "Managing Workflow" in the McKay book: http://docs.neuroinf.de/PloneBook

Next, I went to the dump tab of my workflow, and cut-and-paste the module into MyProduct/Extensions/MyCustomWorkflow.py

Then I added code into MyProduct/Extensions/Install.py to install the workflow, and bind it to my content type. The only things to point out are, you need to 

from Products.CMFCore.utils import getToolByName
and keep in mind that wf_tool.manage_addWorkflow(workflowType,id), where id probably looks like mycustom_workflow (DC Workflow Definition). The part in parenthesis is the title used by addWorkflowFactory() in the dumped script.

GenericSetup and Workflows

Posted by David Convent at July 6, 2007 - 08:00
Since Plone 2.5, it is possible to use a Generic Setup extension profile to add or customize a workflow in a CMF/Plone portal. GenericSetup is part of the CMF suite. See CMFPlone/profiles/default/workflows.xml for a usage example.

Even if DCWorkflowDump doesn't handle Generic Setup profiles, it is still possible to define a workflow through the web (from the management interface) and dump it into filesystem configuration files that integrate well into a Python product.

portal_setup is the tool that takes care of importing Generic Setup import steps. It is also the tool that can be used for exporting the setup of all tools in a Plone site, i.e. the portal_workflow tool. Instead of using DCWorkflowDump, you would go to portal_setup, click on the 'Export' tab, select 'Workflow Tool' and click the 'Export selected steps' button. After downloading the portal_setup tarball you can expand it, edit its workflows.xml file, and add the file to your filesystem python product. The process requires a bit more work than with DCWorkflowDump, but the job still can be done in a very similar way.

Note: In Plone 3.0, the Quick Installer tool takes care of Generic Setup profiles automatically. Means that workflow definitions in a Generic Setup profile can be applied from portal_quickinstaller instead of from portal_setup.

Read more about GenericSetup: http://plone.org/documentation/tutorial/genericsetup

restrit view persmissions to a group or user only

Posted by Christof Haemmerle at May 22, 2007 - 13:50
often i need to restrict view permission of a folder to a specific group or user only. usecase: download folder with information members only shoulb be able to accesss.

looking at the sharing tab from my understanding the following should do the trick:
1. disabling 'Inherit roles from higher levels'
2. add a user with 'Add sharing permissions to users'
3. assign mamager role to user in this context.

sill everybody can access it though. any idea?
thanx christof

For any issues with the web site functionality, please file a ticket.

Please consult the policy on plone.org content if you want your content published on this site.

Servers and hosting by