Personal tools
You are here: Home Plone Tips Private areas
Navigation
Log in


Forgot your password?
 
Document Actions

Private areas

by Mike Combs last modified 2006-11-14 12:55

Making areas of the site accessible only to certain groups

Recap of permissions, roles and workflow

For starters, by security, I mean I want to control who has which permission. The permissions I'm interested in are:

  • View -- To view the contents of the document
  • Modify portal content -- To edit the content of the document
  • Access contents information -- To see a list of what's in the folder, through any display type (summary, tabular, thumbnail, etc.)
  • List folder contents -- To see a list of what's in the folder, through the Contents display type. Users can reach this by typing the URL/folder_contents. This is usually only assigned to anonymous.


In Plone, the who part of security is based on roles. There are three special roles and three standard roles. The special roles generally don't confer any particular permissions.

  • anonymous -- For people who haven't logged in
  • registered -- For people logged in
  • owner -- For the person who created the particular object


There are three other roles by default: member, reviewer, manager. You can change these roles, delete them or create new ones.

In a nutshell, you can select a folder or document and enable or disable a permission for a role. For example, for the /hq folder, I disabled "view" and "access contents information" for anonymous.

However, this doesn't make the contents of the /hq folder invisible to anonymous. As documents are created within /hq, their workflow state (private/draft/published) sets their visibility. So if an anonymous user knows their URL, he can still access draft and published items. This is not what people usually expect, and thus it's a security problem.

The solution is to create a custom workflow.

There are some great tutorials on security at the Plone site.

  • http://plone.org/documentation/tutorial/understanding-permissions
  • http://www.zopemag.com/Issue008/Section_Articles/article_FineGrainedPermissions.html

My goal

I'd like to make sure that newly registered users of this site cannot create content. Since new users are automatically assigned the role of member, and members can create content, it looks like the first step is to change the role users are initally given.
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: