Personal tools
You are here: Home Products Plone Roadmap #134: Reader and Editor roles
Navigation
Log in


Forgot your password?
New user?
 
Document Actions

#134: Reader and Editor roles

Contents
  1. Motivation
  2. Proposal
  3. Implementation
  4. Risks
  5. Progress log
by Vincenzo di Somma last modified January 3, 2007 - 06:33
It is too difficult to share a private or restricted document with another person or group. By introducing Reader and Editor roles, the Sharing tab can be used to let any given user or group the right to read or edit any object.
Proposed by
Martin Aspeli
Seconded by
Alexander Limi
Proposal type
Architecture
Assigned to release
State
completed

Motivation

User A creates a Page. The workflow is such that this page is private to him (this is the case with How-tos in the PloneHelpCenter for example). Whilst working on it, he wants to let User B review his changes, whilst User C should be allowed to edit the page as well.


The obvious place to do this would be the 'Sharing' tab. However, a regular user can assign only the 'Owner' role to another user, which obviously gives that user full read/write permissions.

Proposal

  • Add two new roles: Reader and Editor
  • Reader has the View, Access content information and List folder contents permissions enabled at the portal root level
  • Editor has these permissions, as well as Modify portal content

These roles will be acquired in the existing and custom workflows.

  • Devise a way to allow any Owner to assign Reader and Editor local roles from the Sharing tab.
  • Ensure the 'Sharing' tab is enabled for the standard content items by default, not just on folders.

Implementation

Adding the new roles and permissions should be trivial. The existing workflows may be updated to include them, but having them acquire permissions from the portal root is probably sufficient. Custom workflows can obviously redefined them as needed, but well-behaved content should not use anything outside the CMF core permissions for viewing and editing content.


The trickier part is to allow the user to assign the Reader and Editor local roles to other users. There are two main routes to achive this:

  • Make sure all members also have Reader and Editor roles, which should let them delegate those roles to other members
  • Fake the roles on the 'Sharing' tab (or even provide some custom UI for these "special" roles) and assign the roles in unprotected code that does the appropriate checks itself.

We may want to provide some means for a site-administrator to turn this behaviour off, or only allow certain roles to delegate. The second option could involve a method protected by a 'Delegate responsibility' permission or similar, that defaults to being on for all members, protecting the method that managed the adding and removing of the delegated permissions.

Risks

  • Existing workflows may need updating to work with the new roles. This would happen if they relied on non-standard permissios for viewing or editing content. Note that in general, doing so is discouraged.
  • The generic UI for role assignment on the 'Sharing' tab may be unsuitable for the more specific tasks of 'let this user see my content' or 'let this user edit my content'.
  • Plone should still work with these roles removed: Some sites may remove them.

Progress log

Note that this is part of the work done on the improved workflows in 3.0, and won't have bundles ready for the deadline as explained on the framework team list (Vincenzo is shepherding this, and is on vacation until a few days after the bundle deadline).

doing this in production

Posted by Justin Ryan at July 20, 2006 - 01:06

We are using a custom workflow in production which providers a Reader role using a set of permissions in private role copied from Anonymous role on visible state. I haven't had the explicit need for an Editor role, but I would use it instead of Owner in some cases, if it were around.

Auhtor, Contributor and Reader

Posted by Encolpe Degoute at August 1, 2006 - 08:41

Some people want do split writers in two categories: - Author that can create, copy/paste/move, delete and modify documents - Contributor that can only copy/paste and modify yet created documents A Contributor can submit the document and the Author can submit and publish.

Previous discussion of this idea

Posted by Tom Hallam at January 19, 2007 - 05:53
See: http://plone.org/products/plone/roadmap/26

For previous discussion and originator :)

reader and editor roles

Posted by Nandita Chakravarti at January 31, 2007 - 20:40
I am trying to set up our website with reader and editor roles right now. Yes, it would have been nice to have this as a default setting, instead of jumping through hoops trying to configure it that way. The problem I am encountering is:

If I am a manager user, and I click on the sharing tab, I can give a user or a group any kind of access: manager, reviewer, owner, member, etc.

If I am a member user, and I click on the sharing tab (for a folder that I own), I can only give a user or a group owner access to my folder!

What settings/permissions should I be changing, so that as the owner of a folder, I can give any kind of access I want to others?

Thanks,
Nandita

For any issues with the web site functionality, please file a ticket.

Please consult the policy on plone.org content if you want your content published on this site.

Servers and hosting by