plone permissions manual

9 messages

JoAnna Springsteen () plone permissions manual

Reply Threaded

Hey doc team-

I've gotten caught up in doing some research at work, got frustrated
and thus decided we need a permissions manual.

So far this manual will contain:
- definitions on default roles and groups and the permissions that are
associated with them
- common customizations/use cases
- ZMI default permissions- what does each permission mean and what
does it control
- local roles- what are they, when to use, etc
- best practices-
- how roles work/interact with workflows

I seem to remember someone was working on something along these lines
awhile ago, but I'm not seeing anything on plone.org. Since
permissions are complicated and very underdocumented, I need some
help. If you have time, please raise your hand and contact me. Also,
if there are other things that a permissions manual should cover,
please let me know your thoughts. We are only going to cover defaults
in Plone and just a handful of the most common changes that people
make when adjusting their sites. The audience for this manual
definitely isn't end user but you shouldn't have to be a programmer to
understand it either.
As soon as I get some volunteers, I'll set up a collaborative space
for us to work on this. Right now I just have a bunch of messy notes
since at this point I'm just doing research.
Security and Permissions is a sorely under served section of our
documentation. Let's beef it up starting with this manual!

JoAnna

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Plone-docs mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-docs

Mikko Ohtamaa () Re: plone permissions manual

Reply Threaded

>I've gotten caught up in doing some research at work, got frustrated

>and thus decided we need a permissions manual.

> - ZMI default permissions- what does each permission mean and what
does it control

For this point, maybe here is something:

http://svn.plone.org/svn/collective/collective.developermanual/trunk/source/security/permission_lists.txt

Permission documentation would be best if it's documented in ZCML permission map or CMFCore.permissions module and the human readable list is generated from this authoritative document. I think ZCML even allows you to have "description" on permissions, but I am not sure whether it is filled in or read anywhere.

-Mikko

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Plone-docs mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-docs

JoAnna Springsteen () Re: plone permissions manual

Reply Threaded

>The audience for this manual
definitely isn't end user but you shouldn't have to be a programmer to
understand it either.

This will not be a manual for developers or for programming
permissions. It's for understanding default permissions and what they
do. It will focus on what to expect when you change a permission for a
certain role. No ZCML, no generic setup profiles. No programmatic
manipulations of permissions. Just you and the check boxes in the ZMI.
I don't doubt that something more advanced is needed, but that is not
my goal here.

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Plone-docs mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-docs

Mikko Ohtamaa () Re: plone permissions manual

Reply Threaded

Hi,

This will not be a manual for developers or for programming
permissions. It's for understanding default permissions and what they
do. It will focus on what to expect when you change a permission for a
certain role. No ZCML, no generic setup profiles. No programmatic
manipulations of permissions. Just you and the check boxes in the ZMI.
I don't doubt that something more advanced is needed, but that is not
my goal here.

My point was not about programming - I was hinting that the permission descriptions should be already available in the products.

Each permission should already have human readable description already, as stated here:

http://apidoc.zope.org/++apidoc++/ZCML/http_co__sl__sl_namespaces.zope.org_sl_zope/permission/index.html

If we want to maintain duplicate documentation of those descriptions it should be just a process of copy-paste those permission description texts to one documentation.

Or 1) if we want to relief the doc team from a task which does not belong for it 2) product authors have documented permissions with human readable descriptions in the first place, we can produce the manual JoAnne is looking for automatically.

Otherwise docteam will end up maintaining double permission descriptions and Zope users outside Plone community can't share the benefit of hard word of documenting the permissions.

-Mikko

Israel Saeta Pérez () Re: plone permissions manual

Reply Threaded

Mikko Ohtamaa wrote:

> Hi,
>
>
> This will not be a manual for developers or for programming
>> permissions. It's for understanding default permissions and what they
>> do. It will focus on what to expect when you change a permission for a
>> certain role. No ZCML, no generic setup profiles. No programmatic
>> manipulations of permissions. Just you and the check boxes in the ZMI.
>> I don't doubt that something more advanced is needed, but that is not
>> my goal here.
>>
>
> My point was not about programming - I was hinting that the permission
> descriptions should be already available in the products.
>
> Each permission should already have human readable description already, as
> stated here:
>
>

http://apidoc.zope.org/++apidoc++/ZCML/http_co__sl__sl_namespaces.zope.org_sl_zope/permission/index.html
>
> If we want to maintain duplicate documentation of those descriptions it
> should be just a process of copy-paste those permission description texts
> to one documentation.

I'm ok with copy-pasting those descriptions where needed. Why not? I don't
think they will change a lot over time, so copy-pasting should be enough.

> Or 1) if we want to relief the doc team from a task which does not belong
> for it 2) product authors have documented permissions with human readable
> descriptions in the first place, we can produce the manual JoAnne is
> looking for automatically.
>
> Otherwise docteam will end up maintaining double permission descriptions
> and Zope users outside Plone community can't share the benefit of hard
> word of documenting the permissions.

I guess JoAnna is looking for something more elaborated than just a list of
permissions and their descriptions, but also some examples and common use
cases/customization. That's why I think that copy&pasting the descriptions
is the best option for now. :)

--
israel

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Plone-docs mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-docs

Israel Saeta Pérez

Dylan Jay-4 () Re: plone permissions manual

Reply Threaded

In reply to this post by Mikko Ohtamaa

On 18/09/2009, at 4:35 AM, Mikko Ohtamaa wrote:

> >I've gotten caught up in doing some research at work, got frustrated
> >and thus decided we need a permissions manual.
>
> > - ZMI default permissions- what does each permission mean and what
> does it control
>
> For this point, maybe here is something:
>
> http://svn.plone.org/svn/collective/collective.developermanual/trunk/source/security/permission_lists.txt
>
> Permission documentation would be best if it's documented in ZCML
> permission map or CMFCore.permissions module and the human readable
> list is generated from this authoritative document. I think ZCML
> even allows you to have "description" on permissions, but I am not
> sure whether it is filled in or read anywhere.

Just copy and paste joannas manual back into the code Mikko :)

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Plone-docs mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-docs

Mikko Ohtamaa () Re: plone permissions manual

Reply Threaded

Permission documentation would be best if it's documented in ZCML permission map or CMFCore.permissions module and the human readable list is generated from this authoritative document. I think ZCML even allows you to have "description" on permissions, but I am not sure whether it is filled in or read anywhere.

Just copy and paste joannas manual back into the code Mikko :)

Wonderful! I love you both :)

-Mikko

Dylan Jay-4 () Re: plone permissions manual

Reply Threaded

In reply to this post by JoAnna Springsteen

I agree with you JoAnna that the permissions are hard to understand.

I'd say that if you're using the ZMI to set permissions instead of
creating roles or workflows via zcml then you're in for trouble as
workflows can come in overtop and wipe out your zmi security settings.

but this is symptomatic of a larger problem that the plone security
system is split up between changing workflows, customising a workflow,
sharing tabs, roles (for users and groups) and zmi security tabs.
Knowing what to use when and what the consequences can get mind bending.

Just now I had to make a simple change to make all content visible
only to members.
I had a choice between
a) Intranet workflow
b) Intranet/extranet workflow
c) Set all content private and share viewer role with all logged in
users at root sharing tab.

In the workflows it's not shown in the UI what the exact difference
between Internal Draft and Internally published is. After
experimenting it seemed that my Collage won't display to logged in
users in "internal draft" so I had to switch to Extranet workflow and
use "Internally published".

Point is it's got too many choices and hard to predict.

Another usecase I've been meaning to look into is how to create a role
or group that can add/remove users but have no other "site setup"
access.

I suspect there are some potential clever UI solutions that could help
here
For example

- Some quick tryout tool to see what something looks like after a
sharing/workflow change for any particular role.

- introspection that somehow produces a description of what is enabled/
disabled by a state/role. e.g. Internally published=editible by owner,
viewable to members, hidden from anonymous.

- tighter integration of sharing and workflow UIs

or perhaps it's easier to just document it and the pain will force us
to think of a better solution :)

On 18/09/2009, at 4:50 AM, JoAnna Springsteen wrote:

>> The audience for this manual
> definitely isn't end user but you shouldn't have to be a programmer to
> understand it either.
>
>
> This will not be a manual for developers or for programming
> permissions. It's for understanding default permissions and what they
> do. It will focus on what to expect when you change a permission for a
> certain role. No ZCML, no generic setup profiles. No programmatic
> manipulations of permissions. Just you and the check boxes in the ZMI.
> I don't doubt that something more advanced is needed, but that is not
> my goal here.
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart
> your
> developing skills, take BlackBerry mobile applications to market and
> stay
> ahead of the curve. Join us from November 9-12, 2009. Register
> now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Plone-docs mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/plone-docs

JoAnna Springsteen () Re: plone permissions manual

Reply Threaded

In reply to this post by JoAnna Springsteen

For those of you who have volunteered, here is a link to my notes so far:
http://www.coactivate.org/projects/plone-documentation/permissions-manual

If you have questions or need to leave notes, please put them in
brackets and append your initials so we can tell at a glance who is
asking what.

Thanks and have fun!

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Plone-docs mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-docs