I'm trying to deploy an "intranet" folder hierarchie with a simple workflow, that:
shut of anonymous users from that hierarchie, even sub-levels
let users of a certain group enter that hierarchie only, even sub-levels
have private objects unvisible by default
upon publishing make them visble to all users of the group
private folders should deny other users (except admins) to enter that folder and access any object below
This scenario is discussed here: http://blog.keul.it/2011/10/plone-security-and-workflows-learn-how.html?m=1
It's more or less the same here: Plone Intranet workflow and group permissions
The answer of the question of above is:
Leave the page or folder in the private workflow state, NOT published internally. (I think this is the step you were missing.) 2.
On the Sharing tab for the page or folder, grant 'Can view' to the
group you want to share with, just like you already tried. You don't
have to change the "inherit permissions from higher levels" checkbox.
However, if I grant 'can view' only, the user may not enter the folder, but if I grant 'can add', too, the user may enter. However, this makes all objects below visible to all users of that group.
Example:
user is member of group1
folder in private state
-> share with group1 'can view'
user may not enter folder;
-> share with group1 'can add'
user may enter and sees all object, even private ones
This is Plone 5.0.6, should this setup work?
Here is a reminder in general, though it might not answer the question per se.
1) Make sure you configure the 'real' target on its Sharing tab. For example, a folder with a default view might mislead the target. 2) Likewise, items with index_html IDs in a folder will become the default view, that might mislead the target. 3) Can View in the Sharing tab means Reader role in the workflow settings. Check permission settings in Workflow State. The following is my example settings hopefully gives hints.
Related
Hello Everyone thank's in advance for your help.
I am trying to configure access permission in alfresco and now stuck in a scenario
It would be great help if someone defines proper way to achieve this functionality
now my problem is
I want to create a site (which will be accessible by all user)
then will create folder and sub folder in that site (i am ready to customize content type of those folder if required)
now i want to configure alfresco in such a way that specific set of user can access specific folder and it's content
for example
This is list of user
user1,user2,user3,user4,user5
And this is folder structure
Project
Data
Test
Exam
Design
art
practice
Work
W1
W2
Now how to configure it in such a way that
user1 can access Data->Exam
user2 can access work and all it's child folder
user3 can access Data and all it's child folder
user4 can access Design and all it's child folder and
user5 can access Data->Work, Design->art,Work->W1 folder
Note that i am using CMIS api to generate this folder structure
so is there any way to achieve this by java code only ?
i have read about managing permission but not sure about using it just because when i have tried to provide permission to folder it allow to add only single user
but in my case i want to make group of user and want to make the folder accessible by that particulate group.
Thank you so much for you time :)
If you want to use a group, you'll need to create the group in Alfresco using either the admin console or the Alfresco API. CMIS cannot manage users or groups.
Once your users and groups are in place, you can use CMIS to assign them to ACLs. However, the challenge is that you may need to disable or "break" ACL inheritance to do exactly what you want. You cannot disable ACL inheritance with the CMIS API. You'll have to do it in the UI or through the Alfresco API.
With your users and groups in place and with your folders configured to inherit or not inherit parent permissions as needed, you can now add users and groups to your folders. With CMIS, you can add as many users or groups as you need to a given folder. It is not limited to a single user or group. This page has some examples on using Access Control Entries (ACEs) which make up Access Control Lists (ACLs).
I think that Jeff Potts answer is great i will only add few thing's you can look to this post it will give you an answer how to work with ACL How to get Acls of a document.
You can also use the allowable action in any Folder (or document) it will look like this :
Action a = Action.CAN_DELETE_OBJECT;
object = session.getObjectByPath(idObject); // In case it's a folder
if (object.getAllowableActions().getAllowableActions().contains(a)) {
return Boolean.TRUE;// You can do it
}
Only remember that you can get the allowable action from String (In case you want work with few of them)
String canCreateFolder= Action.CAN_CREATE_FOLDER.value();
the most importante Action that you have to use :
can_create_folder = Action.CAN_CREATE_FOLDER.value();
can_create_document = Action.CAN_CREATE_DOCUMENT.value();
can_update_folder = Action.CAN_UPDATE_PROPERTIES.value();
can_update_document = Action.CAN_UPDATE_PROPERTIES.value();
can_delete_folder = Action.CAN_DELETE_OBJECT.value();
can_delete_document = Action.CAN_DELETE_OBJECT.value();
Hope that helped you.
Unix user account X is special, in the sense many users can login as user X to create working directories and execute code. The users don't directly login as user X and come through a web interface which carries out the execution of code. They each get a working directory.
I don't want the users to intentionally or by accident view other user's working directory. Is there a way to do this?
I was thinking of creating another unix user Y and putting them in a same group. And have User Y own the working directory leaving user X to create subdirectory under that. I am checking to see if someone has a better idea/solution to this.
I´m using Alfresco-LDAP to migrate all my ldap users to Alfresco service.
So far I achieve transfer all users but for every user the home folder created in Alfresco for them is his name, and what I would like, is to share a folder for all members of the ldap group, since I have multiple groups and every user of that group only can get files from that group.
This is the property
ldap.synchronization.defaultHomeFolderProvider
I read in the Alfresco documentation http://wiki.alfresco.com/wiki/Security_and_Authentication#Creating_home_spaces_-_from_1.4_onwards
But seems like what I´m trying to do is not contemplated.
Any suggestion please?
unfortunately there is no configurable HomeFolderProvider for groups supporting specific spaces. You need to crate your own HomeFolderProvider in Java for that. Out of the box you could use the companyHomeFolderProvider which is normally used if you want to disable the homefolder feature. The user object requires a userhome to be able to log in and the work around is to set the root (company_home) for that.
s.
[1] https://wiki.alfresco.com/wiki/Security_and_Authentication#Creating_home_spaces_-_from_1.4_onwards
[2] Disable the user home folder creation
I have the Intranet / Extranet workflow enabled on a Plone 4.2 site, I have removed most of the members permissions (so they can only view).
I created an account and started to add some content but even though I have the "Owner" role permission "Delete portal content" enabled (under mysite.com/manage_access) however my test user is unable to delete anything, which is great... However they cannot delete anything they have created either (I need them to be able to delete content they create).
I have searched on Google but am getting results related more to accomplishing bulk user actions using python scripts.
Basically what I want is that if you created the content, you are able to delete it, if you did not create it you cannot delete it.
Currently I have the second part setup and that's working, but for some reason it seems to be ignoring the "Owner" role, even on content I have created.
I can't find any other permission that I could tick that would indicate ability to delete content you own, can anyone lend any insights? Thanks.
EDIT:
To expand on the problem, it seems if I create a folder and then create content under it, that content is not deleteable, but if I then create a folder, and content within the folder I created, although the folder is not deletable the content within it is.
This was resolved by installing collective.deletepermission and adding the necessary "Delete Objects" permission to the "Owner" role in the ZMI under manage_access
I've got an installation of Plone 4.2.1 running nicely, but visitors to the site can click on the Users tab in the main menu and go straight to a search of all my registered users. Certainly, anonymous visitors are unable to actually list anyone, but I don't want this functionality at all.
What's the Plone way of:
removing the Users tab from the main menu?
stopping the URL /Members returning anything except 404?
Are there other effects of this functionality I should be aware of?
The Users tab is only shown because there is a Members folder (with the title Users) in the root that is publicly visibile.
You have three options to deal with the default; make the Members folder private, delete it altogether, or remove the index_html default view.
Unpublish
You can 'unpublish', retract, the folder workflow to make it private, and anonymous users are then redirected to the login form instead of seeing the user search form:
Simply go to the folder, click on the workflow state (Published) and choose Retract.
Delete
If you do not need to have per-user folders, you can remove the Members folder altogether. You do need to make sure that user folder creation is not enabled first. Go to the Control Panel (click on your username, top right, select Site Setup):
select Security:
and make sure that Enable User Folders is not checked. If it is, uncheck it and save the settings.
Now just delete the Members folder; click Users, find the Actions menu on the right, then select Delete:
then confirm the deletion in the popup:
Deletion means all users will get a 404 when visiting /Members in your site.
Delete the default view
The Members folder contains a index_html object that provides the user form search. If all you want to get rid of is this view, you can delete it. If your Members folder is still public, visitors can see any userfolders that have been created though.
Deleting this view requires going to the ZMI, the Zope Management Interface, navigating to the Members folder and deleting the index_html object there.
Since this is not really the recommended course of action I'm leaving out the screenshots for this part.
You can just delete the Users folder.