Understanding permissions and security

Plone uses a combination of low-level Zope permissions, roles, local roles and workflows to manage permissions on objects. Understanding these will help you manage how, and by whom, your Plone site is accessed.

  1. Permissions and roles The Zope security model is the first thing you need to understand.
  2. Groups in Plone Plone adds the concept of a group of users to the basic Zope security model. Groups are convenient ways of managing roles (and thus permissions) for a number of users simultaneously.
  3. Local roles and sharing Often, you want to give a user or group specific (usually elevated) permissions in a specific area of your site, but not site-wide. Enter local roles and the 'sharing' tab.
  4. Controlling access with workflows In most instances, workflows, managed via the portal_workflow tool, are the correct way of managing permissions on your content.
  5. Using permissions and workflow in your custom products When you are developing a Plone site, it is usually best to develop your customisations or new content types on the filesystem, as a new Zope product. Setting up workflows programatically using the portal_workflow tool is a bit of a pain, but luckily there are tools to make your life much easier. You also need to ensure you use the correct permission declarations on your objects.

All content on one page (useful for printing, presentation mode etc.)

 

Success Following Instructions

Posted by stephenhow at Apr 25, 2005 07:26 AM
I found this tutorial to be extremely helpful, especially the example code for installing the workflow in Install.py. Here's some details of the steps I took to productize my custom workflow:

I installed DCWorkflowDump from the collective using the two commands from my Products/ folder:
<pre>
cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/collective login
cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/collective co -P DCWorkflowDump
</pre>
(more here: http://sourceforge.net/cvs/?group_id=55262)

Then, I designed my workflow following Chapter 8 "Managing Workflow" in the McKay book:
http://docs.neuroinf.de/PloneBook

Next, I went to the 'dump' tab of my workflow, and cut-and-paste the module into MyProduct/Extensions/MyCustomWorkflow.py

Then I added code into MyProduct/Extensions/Install.py to install the workflow, and bind it to my content type. The only things to point out are, you need to
<pre>
from Products.CMFCore.utils import getToolByName
</pre>
and keep in mind that wf_tool.manage_addWorkflow(workflowType,id), where id probably looks like 'mycustom_workflow (DC Workflow Definition)'. The part in parenthesis is the title used by addWorkflowFactory() in the dumped script.

</pre>

GenericSetup and Workflows

Posted by David Convent at Jul 06, 2007 08:00 AM
Since Plone 2.5, it is possible to use a Generic Setup extension profile to add or customize a workflow in a CMF/Plone portal. GenericSetup is part of the CMF suite. See CMFPlone/profiles/default/workflows.xml for a usage example.

Even if DCWorkflowDump doesn't handle Generic Setup profiles, it is still possible to define a workflow through the web (from the management interface) and dump it into filesystem configuration files that integrate well into a Python product.

portal_setup is the tool that takes care of importing Generic Setup import steps. It is also the tool that can be used for exporting the setup of all tools in a Plone site, i.e. the portal_workflow tool. Instead of using DCWorkflowDump, you would go to portal_setup, click on the 'Export' tab, select 'Workflow Tool' and click the 'Export selected steps' button. After downloading the portal_setup tarball you can expand it, edit its workflows.xml file, and add the file to your filesystem python product. The process requires a bit more work than with DCWorkflowDump, but the job still can be done in a very similar way.

Note: In Plone 3.0, the Quick Installer tool takes care of Generic Setup profiles automatically. Means that workflow definitions in a Generic Setup profile can be applied from portal_quickinstaller instead of from portal_setup.

Read more about GenericSetup: http://plone.org/documentation/tutorial/genericsetup

restrit view persmissions to a group or user only

Posted by Christof Haemmerle at May 22, 2007 01:50 PM
often i need to restrict view permission of a folder to a specific group or user only. usecase: download folder with information members only shoulb be able to accesss.

looking at the sharing tab from my understanding the following should do the trick:
1. disabling 'Inherit roles from higher levels'
2. add a user with 'Add sharing permissions to users'
3. assign mamager role to user in this context.

sill everybody can access it though. any idea?
thanx christof

Out of date

Posted by David Charles Todd at Jul 22, 2008 08:39 PM
I bleive these pages don't reflect the changes in Plone 3.0, so the designation of applying to all versions is wrong now.