Plone › General Questions

Permissions Confusion

5 messages Options
Embed this post
Permalink
msmith64 () Permissions Confusion
Reply Threaded More More options
Print post
Permalink
We would like to be able to control access to Manage Portlets contextually. From what I've read, this seems like a simple idea, but so far we've failed to grant a user the ability to Manage Permissions for a single page, but not for the entire site.

In the simplest case, we thought we could give a user the "Manager" role local to a specific folder,
1. So on our test box, running Plone 3.3, we created a user "jsmith" with a default role of "Member".
2. We created a folder in /Plone called "afolder" and published it. "/Plone/afolder"
3. We went to /Plone/afolder/acl_users/manage_listLocalRoles.
4. We set jsmith to be a Manager.
5. We logged in as jsmith, navigated to afolder and noted that jsmith did *not* have permission to manage portlets. (The manage-portlets button was not visible, and when we went directly to /Plone/afolder/@@manage-portlets we got permission denied.)
6. We also noticed that /Plone/acl_users/manage_listLocalRoles showed jsmith as a Manager, even outside afolder.

Can someone explain what we missed? Why did the role setting affect more than just the one folder, and why did jsmith, ostensibly a Manager, not seem to have the "Manage Portlets" permission, even though our administrative superuser did have it?

Best wishes,
Michael A. Smith
Web & Digital / Academic Technologies Manager
Nazareth College

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Norman Fournier-3 () Re: Permissions Confusion
Reply Threaded More More options
Print post
Permalink
You may need to change a setting on the security tab in the zmi?

On 5-Nov-09, at 2:18 PM, [hidden email] wrote:

> We would like to be able to control access to Manage Portlets  
> contextually. From what I've read, this seems like a simple idea,  
> but so far we've failed to grant a user the ability to Manage  
> Permissions for a single page, but not for the entire site.
>
> In the simplest case, we thought we could give a user the "Manager"  
> role local to a specific folder,
> 1. So on our test box, running Plone 3.3, we created a user "jsmith"  
> with a default role of "Member".
> 2. We created a folder in /Plone called "afolder" and published it.  
> "/Plone/afolder"
> 3. We went to /Plone/afolder/acl_users/manage_listLocalRoles.
> 4. We set jsmith to be a Manager.
> 5. We logged in as jsmith, navigated to afolder and noted that  
> jsmith did *not* have permission to manage portlets. (The manage-
> portlets button was not visible, and when we went directly to /Plone/
> afolder/@@manage-portlets we got permission denied.)
> 6. We also noticed that /Plone/acl_users/manage_listLocalRoles  
> showed jsmith as a Manager, even outside afolder.
>
> Can someone explain what we missed? Why did the role setting affect  
> more than just the one folder, and why did jsmith, ostensibly a  
> Manager, not seem to have the "Manage Portlets" permission, even  
> though our administrative superuser did have it?
>
> Best wishes,
> Michael A. Smith
> Web & Digital / Academic Technologies Manager
> Nazareth College
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Plone-Users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/plone-users


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
JoAnna S () Re: Permissions Confusion
Reply Threaded More More options
Print post
Permalink
In reply to this post by msmith64
msmith64 wrote:
We would like to be able to control access to Manage Portlets contextually. From what I've read, this seems like a simple idea, but so far we've failed to grant a user the ability to Manage Permissions for a single page, but not for the entire site.

In the simplest case, we thought we could give a user the "Manager" role local to a specific folder,
1. So on our test box, running Plone 3.3, we created a user "jsmith" with a default role of "Member".
2. We created a folder in /Plone called "afolder" and published it. "/Plone/afolder"
3. We went to /Plone/afolder/acl_users/manage_listLocalRoles.
4. We set jsmith to be a Manager.
5. We logged in as jsmith, navigated to afolder and noted that jsmith did *not* have permission to manage portlets. (The manage-portlets button was not visible, and when we went directly to /Plone/afolder/@@manage-portlets we got permission denied.)
6. We also noticed that /Plone/acl_users/manage_listLocalRoles showed jsmith as a Manager, even outside afolder.

Can someone explain what we missed? Why did the role setting affect more than just the one folder, and why did jsmith, ostensibly a Manager, not seem to have the "Manage Portlets" permission, even though our administrative superuser did have it?
While I'm sure there is probably a way to do this by programatically setting permissions, I think you're seriously better off controlling this with CSS/templates/etc. That's going to allow you to be very specific about what appears where. And it's going to make your life and site management so much easier.

I'm pretty sure you asked about this in #plone yesterday so I'm guessing you're set on the permissions based approach. I think what might work is if you add another option to the sharing tab (view, review, edit, etc) that has to do with managing portlets. Once you've added this new local permission on the sharing tab, then just assign your groups that permission in the places they should have these rights.

JoAnna Springsteen
--
joanna@sixfeetup.com | +1 (317) 861-5948 x615
six feet up presents INDIGO : The Help Line for Plone
More info at http://sixfeetup.com/indigo or call +1 (866) 749-3338
Martin Aspeli () Re: Permissions Confusion
Reply Threaded More More options
Print post
Permalink
In reply to this post by msmith64
[hidden email] wrote:

> We would like to be able to control access to Manage Portlets contextually. From what I've read, this seems like a simple idea, but so far we've failed to grant a user the ability to Manage Permissions for a single page, but not for the entire site.
>
> In the simplest case, we thought we could give a user the "Manager" role local to a specific folder,
> 1. So on our test box, running Plone 3.3, we created a user "jsmith" with a default role of "Member".
> 2. We created a folder in /Plone called "afolder" and published it. "/Plone/afolder"
> 3. We went to /Plone/afolder/acl_users/manage_listLocalRoles.
> 4. We set jsmith to be a Manager.
> 5. We logged in as jsmith, navigated to afolder and noted that jsmith did *not* have permission to manage portlets. (The manage-portlets button was not visible, and when we went directly to /Plone/afolder/@@manage-portlets we got permission denied.)
> 6. We also noticed that /Plone/acl_users/manage_listLocalRoles showed jsmith as a Manager, even outside afolder.
>
> Can someone explain what we missed? Why did the role setting affect more than just the one folder, and why did jsmith, ostensibly a Manager, not seem to have the "Manage Portlets" permission, even though our administrative superuser did have it?

Whenever you want to control permissions locally, do so with workflow.
You want a custom workflow (e.g. a copy of the one you are using now)
that controls the "Mange portlets" permission and grants it to
appropriate people. If you need to grant that permission only to certain
people, you could also create an new role if none of the existing ones
will do, and assign that locally. With collective.sharingroles (or Plone
4) it's relatively easy to add such a role to the "sharing" tab.

Martin

--
Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Martin Aspeli () Re: Permissions Confusion
Reply Threaded More More options
Print post
Permalink
In reply to this post by JoAnna S
JoAnna S wrote:

> While I'm sure there is probably a way to do this by programatically setting
> permissions, I think you're seriously better off controlling this with
> CSS/templates/etc. That's going to allow you to be very specific about what
> appears where. And it's going to make your life and site management so much
> easier.

Controlling it with CSS won't work if people don't have the permission
already, and if you grant the permission to, say, Member, you have a
security hole. Anyone can just tack /@@manage-portlets at the end of a
URL and screw with your site.

> I'm pretty sure you asked about this in #plone yesterday so I'm guessing
> you're set on the permissions based approach. I think what might work is if
> you add another option to the sharing tab (view, review, edit, etc) that has
> to do with managing portlets. Once you've added this new local permission on
> the sharing tab, then just assign your groups that permission in the places
> they should have these rights.

You can't assign permissions to groups, you can only assign permissions
to roles.

The correct way to do this, as mentioned, is with workflow.

Martin

--
Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Plone-Users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-users
Free Embeddable Forum Powered by Nabble Help